cloudfoundry-community/cf-python-client

Authentication issue on init (oauth2_client.credentials_manager.OAuthError)

Closed this issue · 9 comments

I believe I have run into some sort of dependency problem here, where I cannot figure out what common libraries / binaries may be expected to be available for this library (or probably the oauth2-client) to initialize properly.

I am running on python 3.7.6 with oauth2-client==1.2.1 and cloudfoundry-client==1.12.4.

When trying to call client.init_with_user_credentials(CF_USER, CF_SECRET) or use the commandline tool (cloudfoundry-client) I get the following error:

Traceback (most recent call last):
  File "/home/vcap/deps/0/bin/cloudfoundry-client", line 11, in <module>
    load_entry_point('cloudfoundry-client==1.12.4', 'console_scripts', 'cloudfoundry-client')()
  File "/home/vcap/deps/0/python/lib/python3.7/site-packages/cloudfoundry_client/main/main.py", line 238, in main
    client = build_client_from_configuration()
  File "/home/vcap/deps/0/python/lib/python3.7/site-packages/cloudfoundry_client/main/main.py", line 92, in build_client_from_configuration
    client.init_with_user_credentials(login, password)
  File "/home/vcap/deps/0/python/lib/python3.7/site-packages/oauth2_client/credentials_manager.py", line 140, in init_with_user_credentials
    self._token_request(self._grant_password_request(login, password), True)
  File "/home/vcap/deps/0/python/lib/python3.7/site-packages/oauth2_client/credentials_manager.py", line 190, in _token_request
    CredentialManager._handle_bad_response(response)
  File "/home/vcap/deps/0/python/lib/python3.7/site-packages/oauth2_client/credentials_manager.py", line 78, in _handle_bad_response
    raise OAuthError(HTTPStatus(response.status_code), error.get('error'), error.get('error_description'))
oauth2_client.credentials_manager.OAuthError: 401  - unauthorized : Bad credentials

I have made sure 100 times that the credentials are correct :)

In fact, I have initially been using the exact same code and environment setup successfully, but I was running that code inside a Docker container on CloudFoundry. (This Docker container was based on an official python Docker container: python:3-slim-stretch). I have since changed my CF deployment to no longer use Docker containers, but now use the "native" python_buildpack.

Since then I am seeing the error above and assume that there may be some OS level dependency that is now missing? Is there any advice you could possibly offer to determine any

What have I tried?

  1. curl -X GET "https://api.$CF_DOMAIN" (inside a deployed CF app)
  • works just fine
  1. requests.get("https://api.$CF_DOMAIN") (inside a deployed CF app)
  • also works well
  1. cloudfoundry-client (inside a deployed CF app)
  • manually entering the API endpoint and login credentials
  • results in the above error
  1. client.init_with_user_credentials(CF_USER, CF_SECRET) (inside a deployed CF app)
  • using system level environment variables as well as manually executing this in a python console
  • either way I end up with the above error
  1. I also still have a deployment running inside that "old" Docker container mentioned above, where everything actually continues to work as expected and I don't see any authentication errors. I therefore assume that neither the CF installation nor my account are causing the issue.

On the same cf instance I have now installed the cf-cli from https://packages.cloudfoundry.org/debian stable main (by using apt_buildpack) to confirm that by using the official command line tool (cf login ...) I can successfully authenticate. This part works as expected, but I still can not get the cloudfoundry-client to work without the above mentioned error.

I reverted to these versions, which appear to work just fine:

  • cloudfoundry-client==1.9.0
  • oauth2-client==1.1.0

I also successfully tested:

  • cloudfoundry-client==1.11.0
  • oauth2-client==1.2.0

on version cloudfoundry-client==1.12.0 / oauth2-client==1.2.0 I get the following error:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/christoph/dev/repower/asset-monitor/venv/lib/python3.7/site-packages/oauth2_client/credentials_manager.py", line 140, in init_with_user_credentials
    self._token_request(self._grant_password_request(login, password), True)
  File "/Users/christoph/dev/repower/asset-monitor/venv/lib/python3.7/site-packages/oauth2_client/credentials_manager.py", line 190, in _token_request
    CredentialManager._handle_bad_response(response)
  File "/Users/christoph/dev/repower/asset-monitor/venv/lib/python3.7/site-packages/oauth2_client/credentials_manager.py", line 78, in _handle_bad_response
    raise OAuthError(response.status_code, error.get('error'), error.get('error_description'))
oauth2_client.credentials_manager.OAuthError: <exception str() failed>

@r-chris thanks for the feedback. I had been quite busy these late time, I will take a look in the coming days.

Have a good day.

Thanks - just let me know if I can run any additional tests and I hope you'll have a good day as well!

@r-chris thank you. I think I found was wrong. Lately I've discovered that / returned a TokenEndpointand a AuthorizationEndpoint. I wrongly assumed that it was like in oauth2 :

  • authentication for grant code process to allow the user to authenticate against UI and return a code that will be exchanged against token endpoint
  • token endpoint for exchanging code got from authentication code , client credential, refresh token and grant type password.

I took a look at the cf cli code and it only uses the authentication endpoint as it was also used in this library.

Anyway can you confirm me that the code on fix/authentication branch works for you?

On the cf I have access to, both authentication and token endpoint point to the same ip so I did not encounter any issue.

Anyway can you confirm me that the code on fix/authentication branch works for you?

Thanks for looking into this. I'll try to get this up and running on that branch today.

Great - I tested this and it works for me. Thanks for the quick fix!