Auth0 Home Blog Docs

Unlogged 401 attempt when rotating secret

token-endpoint
401

#1

Ironically, I received a rogue 401 when posting this last time, so this may be light on details…

We had been successfully using /oauth/token to obtain access_tokens for our users using their auth_code after they login from our Java backend. After rotating our secret, we received a 401: Unauthorized in response, as expected. When we updated the properties file to change the secret, the 401 continued. We increased logging to confirm that we were sending the right secret and the shape of the request hadn’t changed, but the same 401 persists. Strangely, none of these attempts appear in the Logs on Auth0, so we are not sure what is happening. Is this some TTL delay that we’re waiting for? Has anyone run into this before?


#2

as soon as I posted this (before it passed moderation) @MullenGlobal was following it… What robot is this?


#3

This post and the parallel ticket have not been seen in 6 days by anyone in @Auth0. Are they on holiday?

@auth0-prod @shared+auth0 @bharathkishore.a+auth0acc


#4

I’ve tried to replicate your issue by rotating my Regular Web App client’s secret, getting a code from [GET /authorize] (https://auth0.com/docs/api/authentication#authorization-code-grant) and using that code in a POST /oauth/token with the new client secret. However, I successfully got an access token. Are you able to reproduce the issue if you call the management API directly (just to see if the problem is with the java code)?

POST https://{YOUR_AUTH0_DOMAIN}/oauth/token
Content-Type: application/json
{
  "grant_type": "authorization_code",
  "client_id": "{YOUR_CLIENT_ID}",
  "client_secret": "{YOUR_NEW_CLIENT_SECRET}",
  "code": "AUTHORIZATION_CODE",
  "redirect_uri": "{CALLBACK_IN_THE ORIGINAL_AUTHENTICATION_REQUEST}"
}

#5

To be clear, you did this with your account, right?
Our account was working with no problem right up until this day, so I don’t think there is a code issue. I am pretty sure the trouble is with some setting within the account. It is possible that the old secret didn’t even work this day, but we didn’t test that first.

It is just frustrating because we’ve had a ticket with no response for over a week and not having auth is an absolute work stoppage for us. We are working overtime now to locate alternatives and disentangle ourselves from all this.


#6

I will test this directly at the API today.


#7

Thanks for looking into it. I did some extra testing today to confirm everything and here is what is going on.

If we try to call it directly from our front end (javascript, jquery, angularJS, etc) we fail CORS (even though I added my domain to the Cross Origin field in the dashboard) on /oauth/token so I have to call it from my Java API.

When we make a curl request with the server the app is on I get the access token.

curl --data "grant_type=authorization_code&client_id=62Jsa9MxHuqhRbO20gTHs9KpKr7Ue7sl&client_secret=theSecret&code=auth_code&redirect_uri=http%3A%2F%2Fmyredirect.com%2F" https://cubap.auth0.com/oauth/token

When I make the same request I made with the curl through the Java API, I get a 401.

 String tokenURL="https://cubap.auth0.com/oauth/token";
 JSONObject body = new JSONObject();
  body.element("grant_type", "authorization_code");
  body.element("client_id", "62Jsa9MxHuqhRbO20gTHs9KpKr7Ue7sl");
  body.element("client_secret", "theSecret");
  body.element("code", "auth_code");
  body.element("redirect_uri", "http://myredirect.com/");
  URL tURL = new URL(tokenURL);
  HttpURLConnection connection;
  connection = (HttpURLConnection) tURL.openConnection();
  connection.setRequestMethod("POST");
  connection.setDoOutput(true);
  connection.setDoInput(true);
  connection.setRequestProperty("Content-Type", "application/json; charset=UTF-8");

Since it never makes it 401s before I can write to the stream, I tried it this way with the Java API

String tokenURL="https://cubap.auth0.com/oauth/token?client_id=62Jsa9MxHuqhRbO20gTHs9KpKr7Ue7sl&grant_type=authorization_code&client_secret=theSecret&code=auth_code&redirect_uri=http://myredirect.com";
      URL tURL = new URL(tokenURL);
      HttpURLConnection connection;
      connection = (HttpURLConnection) tURL.openConnection();
      connection.setRequestMethod("POST");
      connection.setDoOutput(true);
      connection.setDoInput(true);
      connection.setRequestProperty("Content-Type", "application/json; charset=UTF-8");

Always a 401 .

We had this process working with the Java API. I came in after the weekend and cycled the secret, then I started getting the 401. I really want to know if this 401 is coming out of Auth0 or if it never makes it to Auth0. The only message that comes back with connection is “Unauthorized”. I don’t know if it thinks the code is bad or the secret is bad or if my firewall could suddenly be to blame or if something is bugging out with the Tenant.