This repository has been archived by the owner on Mar 11, 2021. It is now read-only.
Add API to Link accounts. #134
Comments
12 tasks
|
I've updated the issue description. |
sbose78
pushed a commit
that referenced
this issue
Oct 13, 2017
The new API for account linking which doesn't use keycloak IDPs linking. ## Linking Accounts ``` POST /api/token/link Content-Type: application/x-www-form-urlencoded Payload: for=<resource>&token=<access_token>&scope=<scope>&redirect=<redirect_url> ``` **`<resource>`** - Resource we need to link accounts for. For example https://github.com/somecoolrepo or https://console.starter-us-east-2.openshift.com/console/project/coolproject **`<scope>`** - required scope. Multiple scopes can be specified by separating them with a space. Optional. If not defined then the default scope is used. Not supported in the first version! **`<redirect>`** - after successful linking the client will be redirected to this URL. If not specified then the URL from the “Referer” header will be used. If both “Referer” header and “redirect” param are missing then a Bar Request response will be returned. **`<access_token>`** - user’s access token If the token for such user already exists then the account will be re-linked and the token will be updated. In the first version, we support only **github** and **openshift** represents OSO-us-starter-2. Later an individual **openshift** provider will be associated with the user during signup by the registration app, as part of multicluster support. **Example:** ``` POST /api/token/link Content-Type: application/x-www-form-urlencoded for=https://github.com/somecoolrepo&token=ABSDEF12345678990&redirect=https%3A%2F%2Fopenshift.io&scope=user%20public_repo ``` ## Re-linking Accounts If some services catches 401 when trying to use Git or OS token this service should return 401 to UI with the following header: `WWW-Authenticate: Link url=<link_url_optional>, description=”<description_optional>”` UI should initiate re-linking when it catches such 401 response. Fixes #134
alexeykazakov
pushed a commit
to fabric8-services/fabric8-common
that referenced
this issue
Oct 16, 2018
* Move 'FetchKeys()' function into a subpkg (#435) * Move 'FetchKeys()' function into a subpkg (#433) Fixes #433 Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * refactor 'token/keycloak/keys' pkg to 'token/jwt' Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * Rename jwt to jwk * Rename jwt to jwk * Tests for key fetcher (#436) * Tests for key fetcher * Test default fetcher * Delete tenants from Tenant service when deprovisioning user (#484) * Delete user from Tenant service when deprovisioning * Re-org tenant service * Generate Auth SA when creating Token Manager * Test for signer * Add delete tenant * Add tests for init * More tests * Delete tenant tests * Controller * Update tenant dep * Controller tests * dont delete namespaces for deprovisioned=false * Switched from github to the local keycloak instance (#654) Fixes #653 * Use relative URL's rather than FQDN's for dependency services (#802) Fixes #775 * Space id for wi, wit and tracker query (Fixed: #685 and #766) * Create Keycloak resource when space created (#962) Fixes #961 * Add check for request Scheme to detect HTTPS (#1080) * Add check for X-Forwarded-Proto to detect HTTPS (#1090) Related to #1080 * Minor fixes to get HTTP/2 running (#1440) * Move health checks to use HTTPS * Check TLS config on Request to determine REST response URL protocol * Revert "Minor fixes to get HTTP/2 running (#1440)" This reverts commit 74d90c1f9f25bc8100ecaeaad1a18eb4d6767e46. * Rename project to Fabric8-WIT (#1450) Related to #345 * renamed packages * Close responses to prevent FDs leaks (#205) Ensure that response bodies are closed and read from, minimally. fixes #204 * Update existing Keycloak users when registering new users (#231) * Fix params in email verify redirect URL (#260) fixes https://github.com/fabric8-services/fabric8-common/issues/258 * Add trailing slash to user.cluster, APIURL, ConsoleURL, and MetricsURL (#309) Regardless of actual URLs we store in user's profile and cluster configuration for OSO API, Console, and Metrics URL we should return these URLs with a trailing slash (for example "https://api.*.openshift.com/") * Generate user tokens in Auth service (#402) - New private keys ( added in openshift secrets ) in configuration (should match keys in KC) - We don't load public keys from KC any more - During login (/login and /token) we now generate our own keys (access & refresh) based on the KC - tokens instead of passing along the original KC tokens to client - We also generate new tokens when refreshing the token (/token/refresh) - Added new methods in token manager to generate tokens (access & refresh) based on Identity (in addition to methods to generate tokens based on KC tokens). These methods are not used atm but fully tested and ready to be used when we decommission KC - /token/generate (in Dev Mode) now doesn't use KC - /token/refresh in Dev Mode (but not in tests) doesn't use KC either fixes #229 * Return subscription status to UI when unapproved user is trying to login (#422) * Show subscription status when unapproved user is trying to login * Extract username from token * OS Templates * Tests * fix typos * Fix ineffassign * Clean up * Fix tests * Http Client * Client tests * Fix typo * Test default client * Delete tenants from Tenant service when deprovisioning user (#484) * Delete user from Tenant service when deprovisioning * Re-org tenant service * Generate Auth SA when creating Token Manager * Test for signer * Add delete tenant * Add tests for init * More tests * Delete tenant tests * Controller * Update tenant dep * Controller tests * dont delete namespaces for deprovisioned=false * Proxy /api/clusters to Cluster Management Service (#659) * Proxy /cluster to Cluster Management Service * Call Cluster Managment Service to get cluster info * Fix test compilation errors * Remove unused function * Fix tests * Fix conflicts after merge to master * More tests * cleanup * Fix merge conflicts * Lazy cluster service initialization * More tests * Add synchronization to Default Token Manager initialization * More tests * Addressing PR review comments * Return a copy of cluster instead of pointer to original cached object * Add comments about avoiding Auth-Cluster cycle dependencies during startup * Add some logs * Fix cluster/auth path * include token/jwk package from auth also, reorganize `rest`, `http` and `httpsupport`, moving all possible content in `httpsupport` to avoid the name confusion/clash with `net/http` fixes #18 Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * fix(#572): use correct identityId in notification request payload (#589) * fix test Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * remove old 'token' pkg before importing from fabric8-cluster Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * Add Login Service for user auth via GitHub using OAuth (#229) Login entrypoint mounted on /api/login/authorize Login entry point mounted on /api/login/authorize Contributed-by Konrad Kleine <kwk@users.noreply.github.com> Contributed-by Shoubhik Bose <sbose78@gmail.com> Contributed-by Pranav Gore <pranavgore09@gmail.com> Fixes #20, #219, #321, #325, #327, #328, #337 Related #304 * Add basic error stack (#642) * Add stack to all error reporting methods ... that could be found using this: find . -name "*.go" -exec sed -i -e 's/return\(.*\) err$/return\1 errors.WithStack(err)/g' {} \; See #641 * Added github.com/pkg/errors See #641 * Fix missing import of github.com/pkg/errors * Use github.com/pkg/errors.New() instead of standard errors.New() * Use errors.Errorf() instead of fmt.Errorf() * Use errors.Cause() in tests that check for a particular error type * Error type switch based on cause of error * Print bubbled up errors with stack * Simplify code when formatting with gofmt (#748) * Use keycloak tokens instead of generating our own (#692) Use keycloak tokens instead of generating our own ones when serving client auth requests Fixes #672 * Added doc files to improve the documentation (#803) Added doc files to improve the documentation. * Refactored test token generation (#812) * Refactored test token generation * Centralized the token generation function * Use "context" instead of "golang.org/x/net/context" (#1385) * Use "context" instead of "golang.org/x/net/context" * fix(goa): upgrade goa to 1.2.0 Fixes #1357 * Rename project to Fabric8-WIT (#1450) Related to #345 * renamed packages * Load public keys from KC instead of storing them in configuration (#85) * Auth Service Account (#96) * On login, notify & update user info in WIT service too. (#82) * Check token claims if user is approved (#124) * New "api_client" param for /api/login (#126) * Data model for "external provider token" services. (#131) Data model for storing tokens retrieved as part of linking OpenShift Online and Github user accounts. fixes #132 * Move TokenToJson to service level (#137) Avoid lower level package dependency on external generated REST API. Related to fabric8-services/fabric8-wit#1395 * rename ExternalProviderToken to ExternalToken (#143) * REST API for account linking (#136) The new API for account linking which doesn't use keycloak IDPs linking. ## Linking Accounts ``` POST /api/token/link Content-Type: application/x-www-form-urlencoded Payload: for=<resource>&token=<access_token>&scope=<scope>&redirect=<redirect_url> ``` **`<resource>`** - Resource we need to link accounts for. For example https://github.com/somecoolrepo or https://console.starter-us-east-2.openshift.com/console/project/coolproject **`<scope>`** - required scope. Multiple scopes can be specified by separating them with a space. Optional. If not defined then the default scope is used. Not supported in the first version! **`<redirect>`** - after successful linking the client will be redirected to this URL. If not specified then the URL from the “Referer” header will be used. If both “Referer” header and “redirect” param are missing then a Bar Request response will be returned. **`<access_token>`** - user’s access token If the token for such user already exists then the account will be re-linked and the token will be updated. In the first version, we support only **github** and **openshift** represents OSO-us-starter-2. Later an individual **openshift** provider will be associated with the user during signup by the registration app, as part of multicluster support. **Example:** ``` POST /api/token/link Content-Type: application/x-www-form-urlencoded for=https://github.com/somecoolrepo&token=ABSDEF12345678990&redirect=https%3A%2F%2Fopenshift.io&scope=user%20public_repo ``` ## Re-linking Accounts If some services catches 401 when trying to use Git or OS token this service should return 401 to UI with the following header: `WWW-Authenticate: Link url=<link_url_optional>, description=”<description_optional>”` UI should initiate re-linking when it catches such 401 response. Fixes fabric8-services/fabric8-auth#134 * Fix return type of OpenShift Config. (#144) * Add API to get external provider token (#140) * REST API for removing linked/external tokens (#152) * Support multiple resources when linking accounts (#160) `for` can now contains a set of resources separated by comma. For example: `/api/token/link?for=https://github.com,https://api.openshift.com` Fixes fabric8-services/fabric8-auth#159 * simplify DB tests setup (#180) * Clean up test identity in account linking tests (#181) * Service Account token issuance (login) endpoint (#169) * Rename auth Service Account to 'fabric8-auth' (#183) * Delete account links from Keycloak (#192) While deleting tokens from DB, also remove link from keycloak. * Support GET /token?for=resource for service accounts (#195) * Close responses to prevent FDs leaks (#205) Ensure that response bodies are closed and read from, minimally. fixes #204 * Return 200 with payload instead of 303 when initiate account linking (#211) * Return 200 with payload containing redirect url instead of 303 when initiate account linking * Use GET /api/token/link instead of POST. * Support for creating users using service account tokens (#170) * add support for creating users using service acc * update user data in kc & WIT * add rhd linking * Disable more KC authZ tests fixes #166 and #167 * Fetch user's username for linked Github/OpenShiftOnline account (#214) fixes #212 * ISSUE-71 initial endpoint implementation for resource registration (#94) Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * Update existing Keycloak users when registering new users (#231) * Changed state param from UUID to string (#239) * Synchronize keycloak from auth service's DB upon login (#265) * refactor to sync from auth to keycloak * invoke * make the api work * fix profile update * sync emailverified better * cleanup * fix tests * add tests * add comments * add tests * more tests * Fix OSO token endpoint URL (#280) * GET /api/clusters for oso-proxy and tenant services (#283) fixes #282 * Explicitly read response body when closing it to avoid FD leaks (#307) * Add trailing slash to user.cluster, APIURL, ConsoleURL, and MetricsURL (#309) Regardless of actual URLs we store in user's profile and cluster configuration for OSO API, Console, and Metrics URL we should return these URLs with a trailing slash (for example "https://api.*.openshift.com/") * Validate all incoming tokens (#306) * Support `response_mode=fragment` for /authorize (#308) * Added response_mode and refactored function to support response_mode * Made /authorize/callback to return code and state in fragment mode * Modified tests to test with the fragment mode * Added Test for nil responseMode in which /authorize ok * - Removed use of "query" from implemetation, in response_type="query" response_type would be treated as nil - More description for fragment mode - Other minor changes * Added some tests for the new ResponseMode * OauthStateReference.ResponseMode as *string instead of string. If you change it to *string then you will be able to store NULL or a string value in DB. If you keep it as string then instead of NULL you will store an empty string. * Modified tests * Fix logging * Extract an interface for the parsing of tokens (OSIO#2091) (#323) Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * Include the 'PublicKeys()' method in the 'token.Parser' interface (OSIO#2091) (#325) Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * Fixed inappropriate error handling if delete is unsuccessful (#326) * Fixed inappropriate error handling if delete is unsuccessful * added log for load failure * Add alias for user's OSO url to /api/token?for=<alias> (#335) * Add alias for user's OSO/github url to GET /api/token?for=<alias> * Add alias for user's OSO/github url to POST /api/token/link?for=<alias> * Add alias for user's OSO/github url to DELETE /api/token?for=<alias> fixes #334 * Support forcePull for cluster tokens (#351) part of openshiftio/openshift.io#2304 * API for notifying Auth about deprovisioned users (#354) - [x] New endpoint which accepts requests from OpenShiftOnline Reg App SA only: ``` PATCH /api/users:id { "data": { "type": "identities", "attributes": { "deprovisioned": true } } ``` Returns `200 OK` if succeed. - [x] Login returns 401 if user has been deprovisioned - [x] Token refresh returns 401 if user has been deprovisioned - [x] `GET /api/user`returns 401 if user has been deprovisioned. Tenant init service is not called. - [x] `GET /api/userinfo`returns 401 if user has been deprovisioned. Tenant init service is not called. - [x] `GET /api/users/:id` returns 401 if user has been deprovisioned but only if called by Tenant SA. Still open for other clients, so, UI is not broken. - [x] Tests Fixes fabric8-services/fabric8-auth#353 * Add Jenkins-Idler SA to cluster and token API (#362) * Add Jenkins Proxy SA and allow it accessing Cluster & Token APIs (#363) * Generate user tokens in Auth service (#402) - New private keys ( added in openshift secrets ) in configuration (should match keys in KC) - We don't load public keys from KC any more - During login (/login and /token) we now generate our own keys (access & refresh) based on the KC - tokens instead of passing along the original KC tokens to client - We also generate new tokens when refreshing the token (/token/refresh) - Added new methods in token manager to generate tokens (access & refresh) based on Identity (in addition to methods to generate tokens based on KC tokens). These methods are not used atm but fully tested and ready to be used when we decommission KC - /token/generate (in Dev Mode) now doesn't use KC - /token/refresh in Dev Mode (but not in tests) doesn't use KC either fixes #229 * Return subscription status to UI when unapproved user is trying to login (#422) * Show subscription status when unapproved user is trying to login * Extract username from token * OS Templates * Tests * fix typos * Fix ineffassign * Clean up * Fix tests * Http Client * Client tests * Fix typo * Test default client * Support offline token generation (#427) * Support offline token generation * Tests * Fix import after rebasing * Move 'FetchKeys()' function into a subpkg (#435) * Move 'FetchKeys()' function into a subpkg (#433) Fixes #433 Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * refactor 'token/keycloak/keys' pkg to 'token/jwt' Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * Rename jwt to jwk * Rename jwt to jwk * Tests for key fetcher (#436) * Tests for key fetcher * Test default fetcher * Introduce service layer (#456) # Refactoring of application package - Repositories interface extracted into repository subpackage This provides a global fix for import cycle issues, solving the problem of having to create a separate repositories interfaces for the service layer - Services interface introduced. Provides a convenient way for controllers to access the service layer # Decouple transaction control from the application package ## Transaction-related functionality moved to application/transaction package - Allows transactions to be managed without introducing import cycle issues with application package - Transactional method refactored: ` func Transactional(tm TransactionManager, todo func(f TransactionalResources) error) error` The `tm` parameter is used by the `Transactional` method to initiate the transaction. Code executed within the transaction block (i.e. the `todo` function) may interact with transactional resources (e.g. repositories) via the `TransactionalResources` parameter. **Some notes:** The `Application` object implements `TransactionManager`, so transactions can continue to be conveniently managed inside the controller package: ``` err := transaction.Transactional(c.app, func(tr transaction.TransactionalResources) error { // transactional code } ``` `TransactionalResources` implements the `Repositories` interface, providing convenient access to repository types: ``` err := transaction.Transactional(c.app, func(tr transaction.TransactionalResources) error { tr.ResourceRepository().Delete(ctx, ctx.ResourceID) } ``` The scope of `TransactionalResources` may be easily extended in the future to include other transactional resources, not just repositories. # Introduction of service layer - Transaction control moved to service layer Since the service layer is responsible for the atomic integrity of the operation, transaction control was moved to the service layer where required. - Extracted db-specific code from service layer to repository layer This leaves the service layer as a purely business logic layer. In many cases, this has left the service layer as a thin facade over the repository layer, which is exactly what the Service Layer design pattern recommends. For example, `RoleManagementService` which was previously over 300 lines of code is now only about 40 lines. - Fixed Preload issues Many hours was spent deep inside the Gorm source code to determine why `Preload()` was failing, and I'm pleased to report that I was able to identify the issue and rectify it in our code. As a result, I was able to do some extensive code refactoring to significantly reduce the number of lines of code required to execute some queries and get the results we required. For example, I was able to reduce the methods in `RoleManagementService` (some of them around 70 lines of code) significantly (in some cases just over 10 lines of code) in the `IdentityRole` repository. # Adds `IdentityAssociation` struct This type is a general purpose DTO for transferring membership and role assignment state from the repository/service layer to the controller layer. It is designed to replace multiple other DTO types (such as the [`IdentityOrganization`](https://github.com/fabric8-services/fabric8-auth/blob/master/authorization/organization/organization.go) type) with a single reusable type. Two convenience methods have been added to the `authorization` package to support this struct: ``` func AppendAssociation(associations []IdentityAssociation, resourceID string, resourceName *string, identityID *uuid.UUID, member bool, role *string) func MergeAssociations(associations []IdentityAssociation, merge []IdentityAssociation) []IdentityAssociation ``` The `AppendAssociation` function can be used to add new state to an `IdentityAssociation` array. It either merges the state into an existing element (if there is a match) or creates a new element if necessary. The `MergeAssociations` function is used to correctly merge the state of two separate `IdentityAssociation` arrays into one. Fixes #446 Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * return latest token first (#473) * Reorganize account package (#483) - Move all repositories from /account to /account/repository - Move all services from /account, /account/email/, /account/userprofile to /account/services * Delete tenants from Tenant service when deprovisioning user (#484) * Delete user from Tenant service when deprovisioning * Re-org tenant service * Generate Auth SA when creating Token Manager * Test for signer * Add delete tenant * Add tests for init * More tests * Delete tenant tests * Controller * Update tenant dep * Controller tests * dont delete namespaces for deprovisioned=false * Return error if object not found when deleting (#500) * Return error if object not found when deleting * Rename db to result * Add WWW-Authenticate: LOGIN header to the error response when login is required (#519) - [x] `WWW-Authenticate: LOGIN ur="https://auth.openshift.io/api/login" description="re-login is required"` header is added if any request to Auth contains an invalid bearer token: `Authorization: bearer ${token}` - [x] The same `WWW-Authenticate: LOGIN` header added to the 401 response if https://auth.openshift.io/api/token/refresh endpoint got 401 from Keycloak This PR is required to fix the backend side of openshiftio/openshift.io#3746 Also part of openshiftio/openshift.io#3736 * Service Account for Analytics Gemini Service (#520) * Refactor Notification Service (#529) * Send invitation e-mail to user via notification service (#514) * ISSUE-507 add new column to invitation table Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 testing framework enhancements Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 send notification for user invitation Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 modified notification messages Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 lookup space name from WIT service Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 updated acceptance URL Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 configurable accept url Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 don't process invite messages in separate thread Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 minor fixes Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 more tests to improve coverage Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 fix identity resource lookup Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 fixes for PR Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * Fix configuration * ISSUE-507 fixed tests Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 updated to use WIT config Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * ISSUE-507 fixed tests Signed-off-by: Shane Bryzak <sbryzak@redhat.com> * Clean up Keycloak collaborators/resources (#533) * Clean up Keycloak collaborators/resources * Tests * More tests to fix * Clean up configuration * Drop space-resources * fix method call * remove kc permissionID policyID * Refactor RemoteWITService as per new design of service (#560) - Adds RemoteWITService as new service under all available services for application. - Renamed lookupSpaceName to GetSpaceNameAndOwnedBy and moved it under wit_service.go - Modified tests as per new logic fixes #559 #536 * Extracting cluster service from Auth. Initial commit * Add fabric8-common * Fix compilation errors * Migration test placeholder * Fix auth for tests * Fix compilation errors in tests * Remove SA signer * Fix tests * Fix fetch keys tests * Fix status tests * Rename cluster to f8cluster (#1) * Rename cluster to f8cluster * Format * Rename OS templates * cleanup: fixes some errors in golangci (#4) * fixing tests Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * Fix auth for tests * Fix compilation errors in tests * Fix tests * Fix controller tests * fix tests Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * fix build failure and remove unused func Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * apply review comments Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * add comment on test Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * refactor HTTP query params tests Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * formatting Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * output example on 'AbsoluteURL' function Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * restore more exhaustive tests on tokens Signed-off-by: Xavier Coulon <xcoulon@redhat.com> * add 'resource.Require(t, resource.UnitTest)' and refactor tests Signed-off-by: Xavier Coulon <xcoulon@redhat.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Linking Accounts
<resource>- Resource we need to link accounts for. For example https://github.com/somecoolrepo or https://console.starter-us-east-2.openshift.com/console/project/coolproject<scope>- required scope. Multiple scopes can be specified by separating them with a space. Optional. If not defined then the default scope is used. Not supported in the first version!<redirect>- after successful linking the client will be redirected to this URL. If not specified then the URL from the “Referer” header will be used. If both “Referer” header and “redirect” param are missing then a Bar Request response will be returned.<access_token>- user’s access tokenIf the token for such user already exists then the account will be re-linked and the token will be updated.
In the first version, we support only github and openshift represents OSO-us-starter-2. Later an individual openshift provider will be associated with the user during signup by the registration app, as part of multicluster support.
Example:
Re-linking Accounts
If some services catches 401 when trying to use Git or OS token this service should return 401 to UI with the following header:
WWW-Authenticate: LINK url=<link_url_optional>, description=”<description_optional>”UI should initiate re-linking when catches such 401 response.
The text was updated successfully, but these errors were encountered: