This can happen if you reuse the same refresh token more than once [1]. Please check whether you are using the latest refresh token returned or reusing a old one.
Thanks, Lakmali On 11 March 2016 at 14:59, Ishara Cooray <isha...@wso2.com> wrote: > Thanks Lakmali. It works! > > It works for the password grant type as you have pointed out. > But for refresh_token grant type i get Provided Authorization Grant is > invalid error. > > curl -k -d > "grant_type=refresh_token&refresh_token=87c4145a25f2e72d6d51edce3362f382&scope=PRODUCTION" > -H "Authorization: Basic > bTlKZ2dkaXhGOGs3Y09jS1lLcW5ZQU16Q2lBYTphS19meWRraVlmS3k3VXlicEZkMU53eF81WkFh" > -H "Content-Type: application/x-www-form-urlencoded" > https://api.cloudstaging.wso2.com:8243/token > {"error":"invalid_grant","error_description":"Provided Authorization Grant > is invalid"} > > is there something to change here? > > > > Ishara Cooray > Senior Software Engineer > Mobile : +9477 262 9512 > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > On Fri, Mar 11, 2016 at 2:30 PM, Lakmali Baminiwatta <lakm...@wso2.com> > wrote: > >> Hi Ishara, >> >> On 11 March 2016 at 14:27, Ishara Cooray <isha...@wso2.com> wrote: >> >>> Hi Malithi/Pushpalanka, >>> >>> I tried renewing access token by invoking TokenAPi. Below is my CURL. >>> >>> curl -d >>> "grant_type=refresh_token&refresh_token=87c4145a25f2e72d6d51edce3362f382&scope=PRODUCTION" >>> -H "Authorization:Basic >>> bTlKZ2dkaXhGOGs3Y09jS1lLcW5ZQU16Q2lBYTphS19meWRraVlmS3k3VXlicEZkMU53eF81WkFh, >>> Content-Type: application/x-www-form-urlencoded" >>> https://api.cloudstaging.wso2.com:8243/token -v >>> >> >> Headers should be sent separately as given in [1] >> >> [1] https://wso2.org/jira/browse/APIMANAGER-4452 >> >> Thanks, >> Lakmali >> >>> I get Authentication failed error from the above command and Error Error >>> decoding authorization header. Space delimited "<authMethod> <base64Hash>" >>> format violated. was observed in the keymanager console where we have APIM >>> 1.10.0 >>> {"error":"invalid_client","error_description":"Client Authentication >>> failed."} >>> >>> Followed the doc [1]. What could have went wrong? >>> >>> If i use the curl --user Client_Id:Client_Secret as pushpalanka >>> suggested i get >>> {"error":"invalid_grant","error_description":"Provided Authorization >>> Grant is invalid"} >>> >>> >>> Console Log: >>> >>> ERROR >>> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >>> Error while extracting credentials from authorization header >>> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} >>> org.wso2.carbon.identity.oauth.common.exception.OAuthClientException: >>> Error decoding authorization header. Space delimited "<authMethod> >>> <base64Hash>" format violated. >>> at >>> org.wso2.carbon.identity.oauth.endpoint.util.EndpointUtil.extractCredentialsFromAuthzHeader(EndpointUtil.java:152) >>> at >>> org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:82) >>> at sun.reflect.GeneratedMethodAccessor185.invoke(Unknown Source) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:606) >>> at >>> org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188) >>> at >>> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104) >>> at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204) >>> at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101) >>> at >>> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58) >>> at >>> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94) >>> at >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) >>> at >>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) >>> at >>> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249) >>> at >>> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) >>> at >>> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) >>> at >>> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) >>> at >>> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) >>> at >>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289) >>> at >>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) >>> at >>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >>> at >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >>> at >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >>> at >>> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) >>> at >>> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >>> at >>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >>> at >>> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) >>> at >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) >>> at >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) >>> at >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) >>> at >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >>> at >>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>> at java.lang.Thread.run(Thread.java:744) >>> >>> [1]https://docs.wso2.com/display/APICloud/Token+API >>> >>> Ishara Cooray >>> Senior Software Engineer >>> Mobile : +9477 262 9512 >>> WSO2, Inc. | http://wso2.com/ >>> Lean . Enterprise . Middleware >>> >>> On Wed, Oct 7, 2015 at 11:03 PM, Hasintha Indrajee <hasin...@wso2.com> >>> wrote: >>> >>>> We have the same logic in few places to extract authorization header >>>> (Not only in Oauth). >>>> >>>> On Wed, Oct 7, 2015 at 10:59 PM, Malithi Edirisinghe <malit...@wso2.com >>>> > wrote: >>>> >>>>> Hi Hasintha, >>>>> >>>>> I don't see any usecase for using multiple authorization header values >>>>> here. This is used for OAuth Client Authentication [1]. There we don't >>>>> have >>>>> multiple client credentials right. >>>>> >>>>> [1] https://tools.ietf.org/html/rfc6749#section-2.3 >>>>> >>>>> On Wed, Oct 7, 2015 at 10:21 PM, Hasintha Indrajee <hasin...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Malithi, >>>>>> >>>>>> What happens if we include multiple authorization header values in >>>>>> the same header ? As [1] says we can use comma separated values for the >>>>>> same header values. Is there a valid use case where we can use two >>>>>> authorization header values ?. If so we need to handle this within the >>>>>> logic you stated. >>>>>> >>>>>> [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 >>>>>> >>>>>> On Wed, Oct 7, 2015 at 9:13 PM, Sachith Punchihewa <sachi...@wso2.com >>>>>> > wrote: >>>>>> >>>>>>> @Malithi, >>>>>>> Thank you very much for the detailed explanation.Yes when i was >>>>>>> debugging the method extract* "Authorization:Basic xxxxxxxxxxxxxx" >>>>>>> -H "Content-Type: application/x-www-form-urlencoded"* and then >>>>>>> split it.thanks again for the explanation. >>>>>>> >>>>>>> Cheers. >>>>>>> >>>>>>> Kamidu Sachith Punchihewa >>>>>>> *Software Engineer* >>>>>>> WSO2, Inc. >>>>>>> lean . enterprise . middleware >>>>>>> Mobile : +94 (0) 770566749 <%2B94%20%280%29%20773%20451194> >>>>>>> >>>>>>> >>>>>>> Disclaimer: This communication may contain privileged or other >>>>>>> confidential information and is intended exclusively for the >>>>>>> addressee/s. >>>>>>> If you are not the intended recipient/s, or believe that you may have >>>>>>> received this communication in error, please reply to the sender >>>>>>> indicating >>>>>>> that fact and delete the copy you received and in addition, you should >>>>>>> not >>>>>>> print, copy, retransmit, disseminate, or otherwise use the information >>>>>>> contained in this communication. Internet communications cannot be >>>>>>> guaranteed to be timely, secure, error or virus-free. The sender does >>>>>>> not >>>>>>> accept liability for any errors or omissions. >>>>>>> >>>>>>> On Wed, Oct 7, 2015 at 8:59 PM, Malithi Edirisinghe < >>>>>>> malit...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi Sachith, >>>>>>>> >>>>>>>> Here EndpointUtil.extractCredentialsFromAuthzHeader() method >>>>>>>> expects the value of the 'Authorization' header. Please refer [1]. >>>>>>>> Here the >>>>>>>> value of the 'Authorization' header is passed to the method which is >>>>>>>> directly taken from the servlet request. >>>>>>>> And when decoding the header it expects the value to be in >>>>>>>> '<authMethod> <base64Hash>' format. >>>>>>>> >>>>>>>> So actually what's wrong here is the curl you have posted. It >>>>>>>> should be like below. >>>>>>>> >>>>>>>> curl -k -d "grant_type=password&username=admin&password=admin" -H >>>>>>>> "Authorization:Basic xxxxxxxxxxxxxx" -H "Content-Type: >>>>>>>> application/x-www-form-urlencoded" >>>>>>>> https://localhost:9443/oauth2/token >>>>>>>> >>>>>>>> So this adds the two headers properly. >>>>>>>> In your case the value of the 'Authorization' header is 'Basic >>>>>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, Content-Type: >>>>>>>> application/x-www-form-urlencoded' which is not in the expected format. >>>>>>>> That's why you see the error 'Error decoding authorization header. >>>>>>>> Space delimited \"<authMethod> <base64Hash>\" format violated.' >>>>>>>> >>>>>>>> Further, if you try out the curl command that Pushpalanka has >>>>>>>> posted you will note that it works. >>>>>>>> >>>>>>>> [1] >>>>>>>> https://github.com/wso2/carbon-identity/blob/master/components/oauth/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java#L86 >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Malithi. >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Oct 7, 2015 at 5:57 PM, Sachith Punchihewa < >>>>>>>> sachi...@wso2.com> wrote: >>>>>>>> >>>>>>>>> Hi All, >>>>>>>>> >>>>>>>>> @Pushpalanka I used that then it gives me an error indicating >>>>>>>>> "Client Authentication failed". >>>>>>>>> >>>>>>>>> This issues was not there in the IS 5.0.0. I did a debugging and >>>>>>>>> found the issue. I have send a pull request regarding this. >>>>>>>>> >>>>>>>>> Thanks and Regards. >>>>>>>>> Kamidu Sachith Punchihewa >>>>>>>>> *Software Engineer* >>>>>>>>> WSO2, Inc. >>>>>>>>> lean . enterprise . middleware >>>>>>>>> Mobile : +94 (0) 770566749 <%2B94%20%280%29%20773%20451194> >>>>>>>>> >>>>>>>>> >>>>>>>>> Disclaimer: This communication may contain privileged or other >>>>>>>>> confidential information and is intended exclusively for the >>>>>>>>> addressee/s. >>>>>>>>> If you are not the intended recipient/s, or believe that you may have >>>>>>>>> received this communication in error, please reply to the sender >>>>>>>>> indicating >>>>>>>>> that fact and delete the copy you received and in addition, you >>>>>>>>> should not >>>>>>>>> print, copy, retransmit, disseminate, or otherwise use the information >>>>>>>>> contained in this communication. Internet communications cannot be >>>>>>>>> guaranteed to be timely, secure, error or virus-free. The sender does >>>>>>>>> not >>>>>>>>> accept liability for any errors or omissions. >>>>>>>>> >>>>>>>>> On Wed, Oct 7, 2015 at 5:47 PM, Pushpalanka Jayawardhana < >>>>>>>>> la...@wso2.com> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Optionally, can you try with below command format and check, >>>>>>>>>> >>>>>>>>>> curl --user Client_Id:Client_Secret -k -d >>>>>>>>>> "grant_type=password&username=admin&password=admin" -H >>>>>>>>>> "Content-Type:application/x-www-form-urlencoded" >>>>>>>>>> https://localhost:9443/oauth2/token >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Pushpalanka. >>>>>>>>>> -- >>>>>>>>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>>>>>>>>> Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>>>>>>>>> Mobile: +94779716248 >>>>>>>>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >>>>>>>>>> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Oct 7, 2015 at 5:40 PM, Sachith Punchihewa < >>>>>>>>>> sachi...@wso2.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> I am currently using a locally build of IS Server from the >>>>>>>>>>> latest code.When i try to get a OAuth Access token via a curl >>>>>>>>>>> execution i >>>>>>>>>>> am getting an error. >>>>>>>>>>> >>>>>>>>>>> Curl Format used : >>>>>>>>>>> >>>>>>>>>>> *curl**<SPACE>**-k**<SPACE>**-d**<SPACE>* >>>>>>>>>>>> *"grant_type=password&username=userNamepasswork&=**passWord* >>>>>>>>>>>> *&tenantDomain=carbon.super"**<SPACE>**-H**<SPACE>* >>>>>>>>>>>> *"Authorization:Basic**<SPACE>**Base 64 encoded >>>>>>>>>>>> clientID:clientSecret,**<SPACE>**Content-Type:**<SPACE>* >>>>>>>>>>>> *application/x-www-form-urlencoded"**<SPACE>**https://localhost:9443/oauth2/token >>>>>>>>>>>> <https://localhost:9443/oauth2/token>* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Actual command : >>>>>>>>>>> >>>>>>>>>>> curl -k -d >>>>>>>>>>>> "grant_type=password&username=xxxxx&password=xxxxx&tenantDomain=carbon.super" >>>>>>>>>>>> -H "Authorization: Basic >>>>>>>>>>>> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, >>>>>>>>>>>> Content-Type: application/x-www-form-urlencoded" >>>>>>>>>>>> https://localhost:9443/oauth2/token >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Error : >>>>>>>>>>> >>>>>>>>>>> "Error decoding authorization header. Space delimited >>>>>>>>>>>> \"<authMethod> <base64Hash>\" format violated." >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Is there is a issue with the curl command i am using here ? >>>>>>>>>>> >>>>>>>>>>> Thanks and Regards. >>>>>>>>>>> Kamidu Sachith Punchihewa >>>>>>>>>>> *Software Engineer* >>>>>>>>>>> WSO2, Inc. >>>>>>>>>>> lean . enterprise . middleware >>>>>>>>>>> Mobile : +94 (0) 770566749 <%2B94%20%280%29%20773%20451194> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Disclaimer: This communication may contain privileged or other >>>>>>>>>>> confidential information and is intended exclusively for the >>>>>>>>>>> addressee/s. >>>>>>>>>>> If you are not the intended recipient/s, or believe that you may >>>>>>>>>>> have >>>>>>>>>>> received this communication in error, please reply to the sender >>>>>>>>>>> indicating >>>>>>>>>>> that fact and delete the copy you received and in addition, you >>>>>>>>>>> should not >>>>>>>>>>> print, copy, retransmit, disseminate, or otherwise use the >>>>>>>>>>> information >>>>>>>>>>> contained in this communication. Internet communications cannot be >>>>>>>>>>> guaranteed to be timely, secure, error or virus-free. The sender >>>>>>>>>>> does not >>>>>>>>>>> accept liability for any errors or omissions. >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Dev mailing list >>>>>>>>>>> Dev@wso2.org >>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> Dev@wso2.org >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Malithi Edirisinghe* >>>>>>>> Senior Software Engineer >>>>>>>> WSO2 Inc. >>>>>>>> >>>>>>>> Mobile : +94 (0) 718176807 >>>>>>>> malit...@wso2.com >>>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Hasintha Indrajee >>>>>> Software Engineer >>>>>> WSO2, Inc. >>>>>> Mobile:+94 771892453 >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Malithi Edirisinghe* >>>>> Senior Software Engineer >>>>> WSO2 Inc. >>>>> >>>>> Mobile : +94 (0) 718176807 >>>>> malit...@wso2.com >>>>> >>>> >>>> >>>> >>>> -- >>>> Hasintha Indrajee >>>> Software Engineer >>>> WSO2, Inc. >>>> Mobile:+94 771892453 >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >> >> >> -- >> Lakmali Baminiwatta >> Senior Software Engineer >> WSO2, Inc.: http://wso2.com >> lean.enterprise.middleware >> mobile: +94 71 2335936 >> blog : lakmali.com >> >> > -- Lakmali Baminiwatta Senior Software Engineer WSO2, Inc.: http://wso2.com lean.enterprise.middleware mobile: +94 71 2335936 blog : lakmali.com
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev