Invalid grant on hcp auth login

Question

Invalid grant on hcp auth login

Opened this issue 2 months ago · 3 comments

I just installed hcp manually (arch, no package). I've never used it before on this machine.

I ran

hcp auth login

it opened the wrong browser, so I copied the URL and pasted it into the right browser. I'm already logged in but it shows me a blank login page. I press the Sign in with Github button and now it opens a page that says "Login is not successful. You may close the browser and try again." (url http://localhost:8443/oidc/callback?error=request_forbidden&error_description=The+request+is+not+allowed.+No+CSRF+value+available+in+the+session+cookie.&state=...). The terminal shows:

ERROR: unable to login to HCP: failed to get new token: failed to exchange code for token: oauth2: "invalid_grant" "The
provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid,
expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another
client."

I note that when it opens a browser it also prints a url to the terminal:

The default web browser has been opened at https://auth.idp.hashicorp.com/oauth2/auth. Please continue the login in the web browser.

however this URL is not usable (missing required parameters).

There doesn't appear to be a --no-browser flag.

Answer 1 · 2024-08-05T23:46:11.000Z

@andrewbaxter Thanks for filling this issue, we will investigate and update this issue with any update.

Answer 2 · 2024-08-07T12:18:22.000Z

@andrewbaxter What's happening is that hcp generates a dynamic URL and opens it in the browser¹. At the same time it prints the static base URL to the console. Copying either the static URL from the console or any URL from the browser window that isn't the initial URL will result in the error you're seeing, because the browser has likely already followed a redirect.

The auth flow needs to be initiated via the first URL or it won't work. Configuring your system to open the expected browser by default will fix your issue.

@dadgar we should probably update the CLI output to print the generated URL to make it less confusing. wdyt?

https://github.com/hashicorp/hcp-sdk-go/blob/a41523ce2f0f348f6d0eec9911ff7d08f1674570/auth/browser.go#L51 ↩

Answer 3 · 2024-08-07T15:20:47.000Z

Thanks! Yeah, printing out the original URL as a backup would be great. AFAIK that's what azure, gcp etc do for their CLIs with interactive login.

In my case configuring the default browser won't work - I use multiple browsers for different tasks, testing, etc and even within firefox I'm using multi account containers with (this) hcp account in a work specific one.

Footnotes