-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 Authorization Code workflow breaks in v2022.7.5 #5722
Comments
I can confirm this. Suddenly a working configuration stopped working. 2022.7.5 |
I have exactly the same issue here ✋ 2022.7.5 |
Same here! Also running Insomnia |
For some reason insomnia captures code, that is being sent to auth instead of the one that would be sent to redirect url. Therefore the presented code to token endpoint is incorrect. Short story. Thx to collegue who discovered it... 2022.7.5 |
I can confirm as well. v2022.7.5 on monterey 12.3 |
Confirmed Authorization Code flow broken. v2022.7.5 on Windows 10 |
I can confirm this as well for v2022.7.5. Please fix. |
Same here with v2022.7.5 against a keycloak instance, responding with |
Please fix this before I jump off a bridge (: |
Same issue. 2022.7.5 |
@oskargab if you turn off the auto update utility you can downloaded the 2022.6 release from GitHub and install it (that's the only one I've tested so far). You could probably just downgrade to the last version before 2022.7.5 and see if that one works as well. Ideally they would have a fix, but downgrading should work in the meantime |
Anoying |
Same issue over here. Downgrading worked, but not ideal. Any update on a fix? |
I only have the issue that refreshing token does not work, Not sure if that is the same issue. It does not send the credentials anymore when I set it to "As basic auth header". When I set it to "In request body" it works. version: 2022.7.5 |
Bump for this issue. Version 2022.7.5; Apple silicon; OSX Ventura. Downgrading to an older version seems to work for now. |
Same here.
Insomnia tries to read the code in this URL because it encounters the pattern Making the Redirect URI optional should have used a on/off flag in the main settings or in the OAuth settings tab to allow such flows to work as before. All our Insomnia collections are now unusable for us since this update. |
… match on it if set (#5763) * If redirectUrl is unset, do not match on it, but still match on it if set. Also check that 'code' and 'error' are not part of parameters name, but the full name of the parameter in URI * fix linter error
Hey folks we're merging @ltressens potential fix and it will go out in today's beta release ( |
Just installed the beta .dmg on Mac. |
This seems unfortunately NOT to be fixed in the latest beta. With same setup in postman it works nicely. The error is now: OAuth 2.0 Error invalid_request Code challenge method is allowed, generally, but this client is not permitted to use it. undefined Version: Insomnia 2023.1.0-beta.3 @filfreire @ltressens please do reopen |
Hello @helgeu ! Given the elements of your message, this error seems totally unrelated to the initial bug and its proposed resolution. The error message "Error invalid_request Code challenge method is allowed, generally, but this client is not permitted to use it. undefined" is not part of Insomnia code base. Lionel |
Thanx for your answer @ltressens! There is in fact no Response timeline here. Which kind of put me off, and I should have extended the initial image to showing that. Added it here now. So I am not so sure about the Idp being the problem here either since Postman handles the exact same setup. I tried during the weekend to get this project up and running but did not manage to get it to debug in Visual Studio Code. So if there exists some explanation of getting this up and running on Windows (preferably) with Visual studio Code I can debug the exact case and find out a bit more about whats causing it. I did use Fiddler for capturing the networking traffic and that seemed quite ok to me, and no errors from the Idp as far as I could see. |
Hi @ltressens You are partially right related to your gut feeling of this not being related to the initial bug. I found the real bug and its related to the setting up this initially. In short the It seems that its first set when actually selected and not at the point where "USE PKCE" is turned on. This again does the request with PKCE but with plain and not SHA256. So if you do the following:
Then the error will occur and it will "of course" be "Code challenge method is allowed, generally but this client is not permiteted to use it", since the UI says SHA256, but the request for auth code flow is sent at 'plain'. There is a simple workaround of this of course: Just flick the plain/SHA256 and it works. |
Ping @jackkav who wrote these 2 lines 2 months ago. |
Same issue here, waiting for the new version release... |
Expected Behavior
After updating from 2022.7.4, I can longer fetch tokens using OAuth 2 for the grant type of Authorization Code. My settings have not changed as I'm using environment variables to populate the following
Again with the same settings in 2022.7.4 I'm able to get all three tokens (refresh, identity, and access tokens). Only thing changed is the insomnia version.
Actual Behavior
Here is the response timeline
Reproduction Steps
Is there an existing issue for this?
Additional Information
I have cleared OAuth 2 sessions under the advance options and I have cleared all token input boxes before fetching new tokens. The unexpected result is the same.
Insomnia Version
2022.7.5
What operating system are you using?
macOS
Operating System Version
macOS Ventura 13.1
Installation method
downloaed from insomnia.rest
Last Known Working Insomnia version
2022.7.4
The text was updated successfully, but these errors were encountered: