Unauthorized error on identitydomains

Question

Unauthorized error on identitydomains

farisdurrani opened this issue a year ago · 7 comments

I am getting a 401 Unauthorized error when using the identitydomains module even when the CLI on the same API URL returns a valid result and all other modules work fine. I am a tenancy administrator. This issue repeats on several tenancies.

Given this TypeScript script adapted from the official example,

import * as common from "oci-common";
import { IdentityDomainsClient, responses } from "oci-identitydomains";

const DOMAIN_ENDPOINT =
  "https://idcs-721677994de24d38836f554cc565a9d5.identity.oraclecloud.com:443";
const provider: common.ConfigFileAuthenticationDetailsProvider =
  new common.ConfigFileAuthenticationDetailsProvider(
    "~/.oci/config",
    "fdurrani"
  );

(async () => {
  const identityDomainsClient = new IdentityDomainsClient({
    authenticationDetailsProvider: provider,
  });
  identityDomainsClient.endpoint = DOMAIN_ENDPOINT;

  const usersList: responses.ListUsersResponse =
    await identityDomainsClient.listUsers({});

  console.log(usersList);
})();

running this file using node returns this error:

➜  test git:(dev) ✗ ts-node test2.ts
Request cannot be retried. Not Retrying. Exception occurred : Error: Unauthorized
OciError: Unauthorized
    at Object.handleErrorResponse (/Users/fdurrani/LocalGitHub/policy-analyzer/lib/helper.ts:66:12)
    at GenericRetrier.<anonymous> (/Users/fdurrani/LocalGitHub/policy-analyzer/lib/retrier.ts:226:31)
    at Generator.next (<anonymous>)
    at fulfilled (/Users/fdurrani/LocalGitHub/policy-analyzer/test/node_modules/oci-common/lib/retrier.js:9:58)
    at processTicksAndRejections (node:internal/process/task_queues:95:5) {
  statusCode: 401,
  serviceCode: 'None',
  opcRequestId: '29F2A911532C-11EF-88E5-FF736DD40B23/pU9iq01W240000000',
  targetService: 'IdentityDomains',
  operationName: 'listUsers',
  timestamp: '2024-08-05T13:11:01.921Z',
  requestEndpoint: 'GET https://idcs-721677994de24d38836f554cc565a9d5.identity.oraclecloud.com:443/admin/v1/Users',
  clientVersion: 'Oracle-TypeScriptSDK/2.90.0-1722272724',
  loggingTips: 'To get more info on the failing request, refer to https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/typescriptsdkconcepts.htm#typescriptsdkconcepts_topic_Logging for ways to log the request/response details.',
  troubleshootingTips: 'See https://docs.oracle.com/iaas/Content/API/References/apierrors.htm#apierrors_401__401_none for more information about resolving this error If you are unable to resolve this IdentityDomains issue, please contact Oracle support and provide them this full error message.'
}
➜  test git:(dev) ✗

Calling the same API URL using the CLI returns the result as normal:

➜ ~ oci raw-request --http-method GET --target-uri https://idcs-721677994de24d38836f554cc565a9d5.identity.oraclecloud.com:443/admin/v1/Users --profile fdurrani

Relevant software versions:

  "dependencies": {
    "oci-common": "^2.90.0-1722272724",
    "oci-identitydomains": "^2.90.0-1722272724"
  }

OS: MacOS 14.6

Answer 1 · 2024-08-05T14:17:17.000Z

Surprisingly, using a signed HttpRequest to the raw URI results in an Unauthorized error as well on TypeScript

See code and result

import * as promise from "es6-promise";
import "isomorphic-fetch";
import { DefaultRequestSigner, HttpRequest } from "oci-common";
import { common } from "oci-sdk";
promise.polyfill();

const OCI_CONFIG_FILE = "~/.oci/config";
const OCI_PROFILE = "fdurrani";
const CONFIG = new common.ConfigFileAuthenticationDetailsProvider(
  OCI_CONFIG_FILE,
  OCI_PROFILE
);

async function compileAllUsers() {
  // 1. Create Request Signing instance
  const signer = new DefaultRequestSigner(CONFIG);

  // 2. Create HttpRequest to be signed
  const httpRequest: HttpRequest = {
    uri: `https://idcs-721677994de24d38836f554cc565a9d5.identity.oraclecloud.com:443/admin/v1/Users`,
    headers: new Headers(),
    method: "GET",
  };

  // 3. sign request
  await signer.signHttpRequest(httpRequest);

  // 4. Make the call
  const response = await fetch(
    new Request(httpRequest.uri, {
      method: httpRequest.method,
      headers: httpRequest.headers,
      body: httpRequest.body,
    })
  );
  // 5. Print response
  console.log(await response.json());
}

compileAllUsers();

➜  test git:(dev) ✗ ts-node test2.ts
{
  schemas: [ 'urn:ietf:params:scim:api:messages:2.0:Error' ],
  detail: 'The request failed: HTTP 401 Unauthorized.',
  status: '401'
}

Answer 2 · 2024-08-05T16:28:15.000Z

hi @farisdurrani, are you using Bun or Deno? I had similar issues until I've came back to the original NodeJS.

Answer 3 · 2024-08-05T16:49:02.000Z

No, I am using the original NodeJS. As in, Node v20.11.0 and NPM v10.4.0

Answer 4 · 2024-08-05T21:20:45.000Z

Hi @farisdurrani what version of typescript SDK are you using ? Are you able to make API call using raw request signer ?

Answer 5 · 2024-08-05T21:26:48.000Z

"typescript": "^5.5.4"

No, I was not able to make an API call using the raw request signer. See: #310 (comment).

Again, it is important to note using the CLI, both on the identity-domains CLI and raw request API, works fine.

Answer 6 · 2024-08-05T21:28:13.000Z

@farisdurrani I meant to ask the version of OCI typescript SDK (oci-sdk)

Answer 7 · 2024-08-05T21:33:24.000Z

Yes, I've put that info at the end of my original post