401 error accessing https://services.humanbrainproject.eu/collab/v0/collab/context/.../

#1

I’m doing a variant of the _is_collaborators authorization method for a small Collab App I’m writing.

The code is more-or-less unmodified from the original version.

I have a bearer token. It’s being passed by the call. This is the code:

svc_url = get_services()['collab_service'][settings.ENV]['url']
headers = {'Authorization': _get_auth_header(request.user)}
if not context:
    return False
url = '%scollab/context/%s/' % (svc_url, context)
res = requests.get(url, headers=headers)
if res.status_code != 200:
    return False

res.status_code == 401 after requests.get(…).

Any ideas?

#2

401 means unauthorized rather than Forbidden access. This means that there is an issue with your user / token.

To check:

  • It might be that request.user contains a Django authenticated user rather than a oAuth2 one,
  • Or that you are doing a request on a different environment that the one the token has been issued for (token from prod, request on dev).
  • Are you sure that _get_auth_header generate a string which looks like ‘Bearer myverylong-token’?
#3

  • request.user == ‘jcmullerf4ea139052b5478f’
    I’m not sure how the OIDC users should look, maybe this is the problem…

  • I’m pretty sure all my urls point to prod.

  • I’ve got the ‘Authorization: Bearer a-very-long-token’ in the request headers.

#4

Can you print the URL, I would like to test it on my side. What you can do as well is try the request in Postman or any other generic Rest client tools. Maybe try with a token from collab.humanbrainproject.eu to eliminate this part as a possible issue.

#5

Ok,

I dumped the response res.content:
{“status”: 401, “message”: “Not in scope: hbp.collab”}

However, “Dataset Information Card Manager” has hbp.collab in its scopes. Interestingly, it didn’t when I created it. I added it later on. Is there some caching in here somewhere?

#6

Yes, if your token has been issued before, it won’t contains this scope. Logout/Login should do the trick.

#7

No luck so far. Tried:

  1. Login/Logout
  2. Incognito mode (w/ no open incognito windows prior to login)

Cache clean shouldn’t improve on the options above, should it?

#8

I guess Django is caching your token but it should revalidate it anyway. What is you OIDC client id?

#9

059c93fa-2fd2-4fa5-a6fb-44d8b208fec3

#10

That’s a server-flow token, technically it’s safe to post it here, right? (safeguard your n00bs)

#11

The UUID is safe because the redirect URL is used to prevent malicious redirection, sharing the secret key on the opposite, never.

#12

Ok. The issue is solved.

The problem had to do with the fact that the django client-side config was requesting tokens with restricted scopes.

The solution was to remove the scopes from the auth token request.

So in my /config handler:

@login_required(login_url=’/login/hbp’)
def config(request):
‘’‘Render the config file’’’

res = requests.get(settings.HBP_ENV_URL)
config = res.json()

# Use this app client ID
config['auth']['clientId'] = settings.SOCIAL_AUTH_HBP_KEY

# Add user token informations
request.user.social_auth.get().extra_data
config['auth']['token'] = {
    'access_token': _get_access_token(request),
    'token_type': request.user.social_auth.get().extra_data['token_type'],
    'expires_in': request.session.get_expiry_age(),
}
return HttpResponse(json.dumps(config), content_type='application/json')
#13

Hi,

I am having a similar issue, but I am not sure I understand what you did to fix this (I am using Java as the client, so the code is quite different). The “scope” of the original request for authentication is set to “openid profile” as specified for basic requests. If I add to this “hbp.collab”, I get an error that the scope is invalid. Should this be set to something else to get a user bearer token authorized with hbp.collab?

Thanks,

Andrew :slight_smile:

#14

Where did you get the invalid scope error from? Collab service or OIDC?
Can you check that ‘hbp.collab’ is one of the authorized scopes for your client here https://collab.humanbrainproject.eu/#/collab/54/nav/1051?

#15

Hi,

Sorry for taking so long to get back to you. I have returned to this issue, but have managed to solve it now. It turned out that I was using the wrong token to access the service.

Thanks for responding,

Andrew :slight_smile: