OAuth profile error

https://mydomainhere/api/method/frappe.integrations.oauth2.openid_profile returns json value when I access it from my browser but when my third party app does, it throws an error

InternalOAuthError: Failed to fetch user profile
(Taken from docker logs)

What could be the reason, please guide.
@revant_one

Try curl with bearer token in header?

refer this test: https://github.com/frappe/frappe/blob/develop/frappe/tests/test_oauth20.py#L196

As per this https://hackmd.io/c/codimd-documentation/%2F%40codimd%2Fcodimd-generic-oauth-2 default scope is email, referring (OAuth Redirect URI not working)

can you change that to openid and all or add email to scope field separated by space in OAuth Client on your frappe/erpnext server

I tried using Postman, it failed.
The get token API call returns Session Expired even though I just logged in.

And yes, I have been using openid as scope from the beginning(changed the env accordingly).

Also, my erpnext is on frappe cloud, if that matters.

Yes, added. I’m able to login as well in the screen and then I get the Allow/Deny screen as well.

Yes, I have the same issue. My postman logs show my sid as Guest.
The pull-request seemed to be merged. I can’t update since I’m on cloud. I will try on my local machine and report back.

If the above one is my problem, I’m not sure if using curl will fix it. But, I’ll give it a try anyway!

Thank you so much for your help! Much appreciated!

Update: I just checked the version and my frappe framework is up to date.

I tried curl and it returned HTML code.

curl https://mydomainhere/api/method/frappe.integrations.oauth2.authorize?response_type=code&client_id=<removed>&scope=openid&redirect_uri=https://myotherdomainhere/auth/oauth2/callback

It threw HTML code on my terminal(expected because I’m not logged in on from that server)

If I normally put the link in my browser, it redirects me to:
https://myotherdomainhere/auth/oauth2/callback?code=<code-here>

And I took that code and tried to get token with it, but I get invalid_grand error.

Although it was merged, I don’t see it in the latest version’s code.

It is in the develop branch tho :frowning:

I guess I will have to wait until they push another update as I can’t do anything on the back end on frappe cloud.

Update: I was able to authenticate with postman. I changed client authentication setting in postman from send as basic auth header to send client credentials in body.

As said in this thread.

Now, I have to find a way to add this configuration in CodiMD :slight_smile:
@revant_one Thanks for the help!

Also, is there any way I can make the authorization work for send as basic auth header?
Please guide.

Frappe doesn’t require client secret.

and any header should work.

Header like Authorization: Basic base64(client_id:client_secret) triggers frappe to check username and password instead of client_id and client_secret.

I followed this documentation: https://frappeframework.com/docs/user/en/guides/integration/rest_api/oauth2

Get token API call returns this error.

Traceback (most recent call last):
  File "/home/frappe/benches/bench-version-12-f1-71/apps/frappe/frappe/app.py", line 64, in application
    response = frappe.api.handle()
  File "/home/frappe/benches/bench-version-12-f1-71/apps/frappe/frappe/api.py", line 59, in handle
    return frappe.handler.handle()
  File "/home/frappe/benches/bench-version-12-f1-71/apps/frappe/frappe/handler.py", line 24, in handle
    data = execute_cmd(cmd)
  File "/home/frappe/benches/bench-version-12-f1-71/apps/frappe/frappe/handler.py", line 63, in execute_cmd
    return frappe.call(method, **frappe.form_dict)
  File "/home/frappe/benches/bench-version-12-f1-71/apps/frappe/frappe/__init__.py", line 1054, in call
    return fn(*args, **newargs)
  File "/home/frappe/benches/bench-version-12-f1-71/apps/frappe/frappe/integrations/oauth2.py", line 111, in get_token
    headers, body, status = get_oauth_server().create_token_response(uri, http_method, body, headers, frappe.flags.oauth_credentials)
  File "/home/frappe/benches/bench-version-12-f1-71/env/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/endpoints/base.py", line 116, in wrapper
    return f(endpoint, uri, *args, **kwargs)
  File "/home/frappe/benches/bench-version-12-f1-71/env/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/endpoints/token.py", line 96, in create_token_response
    self.validate_token_request(request)
  File "/home/frappe/benches/bench-version-12-f1-71/env/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/endpoints/token.py", line 122, in validate_token_request
    self._raise_on_bad_method(request)
  File "/home/frappe/benches/bench-version-12-f1-71/env/lib/python3.6/site-packages/oauthlib/oauth2/rfc6749/endpoints/base.py", line 84, in _raise_on_bad_method
    description=('Unsupported request method %s' % request.http_method.upper()))
oauthlib.oauth2.rfc6749.errors.InvalidRequestError: (invalid_request) Unsupported request method GET <oauthlib.Request SANITIZED>

/api/method/frappe.integrations.oauth2.get_token is a POST request with Content-Type: application/x-www-form-urlencoded

Yes, but so is /api/method/frappe.integrations.oauth2.authorize and it works fine on the browser and redirects to the url with a code.


According to this documentation, the api call should return a json response.

I’m confused.

HTTP Method POST.

typing url in browser and pressing enter results into GET request

Even when I tried POST, it threw error.
The error was because the details were passed as request params. When I passed the details in the request body, it gave back a json response saying invalid grant.

I guess I will have to modify CodiMD’s post request and include the details in the body and not in the params.

Thank you @revant_one

Also, @rmeyer please modify the Oauth 2 documentation(https://frappeframework.com/docs/user/en/guides/integration/rest_api/oauth2) as browser requests are GET and not POST.

It works fine now. There were some misconfiguration on the client side.
The client was looking for keys which weren’t present in the response. Once I fixed it, everything got alright.

Really sorry for taking up a lot of you time. And thank you once again!

That’s right, authorize should be a GET request. Feel free to send a PR to fix the docs and tag me for the review.