Skip to content
This repository has been archived by the owner on Feb 28, 2021. It is now read-only.

github deployment works with manual deploy only #26

Closed
gex opened this issue May 27, 2019 · 7 comments
Closed

github deployment works with manual deploy only #26

gex opened this issue May 27, 2019 · 7 comments
Assignees
@zxan1285

Comments

@gex
Copy link

gex commented May 27, 2019
edited
Loading

we configured the github deployments extension (both the personal access token and the webhook) and it works when i click on the deploy button. after that on the deployments tab i see a success status with a green icon, the branch name (master) in the change column and my auth0 user (in auth0|id format). but after i push something to the repository (we usually merge a pull request), on the deployments page i see a failed status with a red icon, the hash of the commit and my github username.

the log says:

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Invalid token",
  "attributes": {
    "error": "Invalid token"
  }
}

i checked the recent deliveries under the webhook and there is a successful request to the payload url, the status code is 202 and the response is

{
  "message": "Request accepted, deployment started."
}
@zxan1285
Copy link
Contributor

Hi!
The error does look like Auth0 API error. It seems, the extension is getting all the files from the repo, but cannot authorize to Auth0 API to update the records.
Did you change the auth0-github-deploy generic client in some way?
Could you please re-install the extension and see if that helps?

@gex
Copy link
Author

gex commented May 28, 2019
edited
Loading

hi @zxan1285 !

no we didn't make any changes in the extension itself, we installed it on the extensions tab a while ago. the only change we made recently is updating it from 2.6 to 2.8. i'm going to reinstall it and i'll let you know if it helps.

edit: it's not related to the upgrade, it happens on a tenant with 2.6 as well.

@gex
Copy link
Author

gex commented May 28, 2019

so, we reinstalled the the extension, updated the webhook with the new secret and created a pull request in the repository. after we merged it the webhook delivered it to the extension but the extension couldn't update the tenant. the error is the same:

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Invalid token",
  "attributes": {
    "error": "Invalid token"
  }
}

clicking on the re-deploy button in the row of failed deployment and clicking on the deploy button above the deployments were successful.

@zxan1285 zxan1285 self-assigned this May 28, 2019
@zxan1285
Copy link
Contributor

Thanks for trying @gex
and sorry for the inconvenience.

I wasn't able to reproduce the exact error so far.
Would you mind answering a few question, that could help me to investigate this?
Do you use auth0 cloud or PSaaS?
What's the region of the webtask (au, eu, us)?

Also, if you could check access_token for the extension's client, that would help alot.
To get the access_token, you need to send POST request to https://{your_domain}/oauth/token with payload

{
  "audience": "https://{your_domain}/api/v2/",
  "client_id": "auth0-github-deploy client_id",
  "client_secret": "auth0-github-deploy client_secret",
  "grant_type": "client_credentials"
}

then use that access_token to get something from API2:
GET https://{your_domain}/api/v2/clients with Authorization: Bearer {access_token} header.

@gex
Copy link
Author

gex commented May 29, 2019

Do you use auth0 cloud or PSaaS?

we use auth0 cloud, all 3 tenants are in the developer pro tier.

What's the region of the webtask (au, eu, us)?

the 3 tenants are in the same region (US (Prod)) and the domains of the extension are *.us8.webtask.io so i guess it's us. but that's not something we could set or can change now.

Also, if you could check access_token for the extension's client, that would help alot.

the response of the /api/v2/clients request:

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Invalid token",
  "attributes": {
    "error": "Invalid token"
  }
}

so i checked the content of the token (redacted the sensitive parts):

{
  "https://<our_domain>/email": "<our_email_address>",
  "iss": "https://<tenant_name>.auth0.com/",
  "sub": "<auth0-github-deploy client_id>@clients",
  "aud": "https://<tenant_name>.auth0.com/api/v2/",
  "iat": 1559146050,
  "exp": 1559232450,
  "azp": "<auth0-github-deploy client_id>",
  "gty": "client-credentials"
}

and the first line (the email) reminded me that we created a hook because we're also using the authorization extension and to add permissions to machine to machine application tokens we cannot use rules.

is it possible that we broke the auth0-github-deploy by addig a custom hook?

the template for creating new hooks is like:

module.exports = function(client, scope, audience, context, cb) {
  var access_token = {};
  access_token.scope = scope;

  // Modify scopes or add extra claims
  // access_token['https://example.com/claim'] = 'bar';
  // access_token.scope.push('extra');

  cb(null, access_token);
};

so anything created before this hook is lost because we start with an empty access token.

@zxan1285
Copy link
Contributor

Yep, the scope is missing.
Adding

if (client.id === <auth0-github-deploy client_id>) {
    return cb(null, { scope });
  }

should fix the issue.

@gex
Copy link
Author

gex commented May 30, 2019

thank you @zxan1285 it solved the issue!

@gex gex closed this as completed May 30, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@zxan1285 zxan1285

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gex @zxan1285