The problem is that I've gone through the API documentation of authy. Now there can be trust issues with the users to provide me their PII.
So I tried the Non-PII approach. For which I need a QR code to be scanned by my users.
Even though I've followed the exact process mentioned in the documentation after doing a test-drive of my application I tried scanning the QR code which gets generated in a php file that I've made. However the authy app after scanning the QR code says:
Account couldn't be added. Please contact your service provider
P.S. I will provide the PHP code that I've made which generates the QR code. However I just want to know if this is a known issue about Not being able to add an account to my Twilio authy application.
I'm seeing the same error. Have not been able to get a response from Authy dev support on what the error means (if it's a config issue, or issue with my code, etc). But, https://jwt.io/ says the token is correct, so I'm assuming it's an Authy config issue.
Ensure you have expiration date <= (issuing date + 15 minutes) on your JWT token.
That was a reason I had an error 'Account couldn't be added. Please contact your service provider'.
Related
We are working on SaaS application development on SAP BTP ,facing very strange issue ,with new subaccounts ,after publishing our application through SaaS registry service and implementation of all call backs and including dependency call back ,when we are creating a new Tenant Subaccount and doing a subscription facing issue in login steps below ---
subscription is working fine and able to generate tenant specific url.
When user login to application unbale to call any backend service api via logged in User as XSUAA is unable to authenticate as JWT signature is not valid -
"<error_description>Cannot verify signature of access
token</error_description> invalid_token"
Same workflow works fine with old subaccounts created some time back for testing purposes.
Facing issue with newly created Subaccounts for tenant.
Please help.
Thanks,
Siddharth
The SAP Business Technology Platform has changed the way of Tenant's JWT validation in the first half of 2020. Instehttps://sap.github.io/cloud-sdk/docs/java/release-notes-sap-cloud-sdk-for-java#3161ad of using well-known and only one URL to get the validation key, it's now relying on the jku field and issuer to make sure every Tenant has a URL to fetch a key for the JWT validation.
The SAP Cloud SDK version 3.16.1 and above should fully support this validation mechanism. This means that the SDK version you use should be perfectly fine.
There could be edge cases where the application logic might require an update. That's why I suggest you create an issue here and provide the following information:
Since when the issue started affecting you? Was it working a week before and broke just now? Or you haven't added new Tenants in a while and now it's breaking?
Dependency tree of you App
Please, provide detailed exception stack trace or logs to identify the root cause.
Send us the code snippet where you believe things fail.
When we can make it reproducible, solving this should be rather straightforward.
We are happy to update this thread when a solution is found so that community can benefit.
Looking forward to the detailed issue and reproduction steps.
I am using the Twilio testing tools to generate an access token that I can use to familiarize myself with the getting started project
https://github.com/twilio/video-quickstart-swift#setup.
However, whenever I generate one, I get an error when I run the project on the simulator.
This is the error;
Connection Failed couldn't connect to room arkit. code: 20101 Invalid
Access Token.
Note: I just started using twilio and so my knowledge is very basic.
I initially thought there is a specific user id one should post in the client identity field here https://www.twilio.com/console/video/runtime/testing-tools.
However, I figured you use any name and it should work. Thoughts?
Make sure you change your scheme from the default ARKitExample to the VideoQuickStart.
I figured what the problem was since I was sending the phone number in my code, the + in the country code was getting decoded as space. The number that was being sent to the API was therefore wrong and it could never work.
We're using ruby-saml to establish our app as a service provider while using Google as an identity provider, though I do not think this question is specific to Ruby or that project.
I have seen this answer from the point of view of an IdP, but I'm hoping to see one from the point of view of an SP, because I have a hard time believing Google is getting the signature on the response wrong.
On top of that, we have successfully integrated with other Google accounts, and they work at the same time this one is broken.
As the service providers, how can we figure out the source of an Invalid Signature on SAML Response from the identity provider?
We had same error, but different solution. Our problem was invalid characters in the xml response. Both parsing and validation failed. We could substitute the chars before parsing, but then the validation would still fail because of the changed content. The solution was to base64 decode the response, and open the xml response in an editor (or online xml validator) to find the problematic data. In our case: attribute name "objectSid" from AD. We then changed the simplesamlphp config so that it sent only the data we needed. Now the response validates and parses without problems. Btw in "settings.idp_cert" (using ruby-saml gem) we include both the "begin certificate and end certificate headers".
Also there are browser add-ons that will intercept the saml conversations for debugging purposes.
Also check this for online troubleshooting:
validate response:
https://www.samltool.com/validate_response.php
(be careful not to paste your private keys online. only public cert is needed for response validation)
validate xml:
https://www.xmlvalidation.com
online base64 decode:
https://www.samltool.com/base64.php
I ended up using the suggestion to use XMLSec in the answer I referenced in the question, and ran through the decoded base 64 response and the certificate(s) in the metadata file from Google.
That gave me the confidence that there was indeed something wrong with the certificates in the IdP metadata XML file that Google provided.
I then noticed that my working accounts only had 1 certificate in the file, while this one had two. So I removed one, and it did not work. Then I replaced it and removed the other, and it worked.
Then I found out that I could place both certs in the file as long as the working one was first.
I am not sure why there was a difference, and I do not know why Google outputs the certs in an order that XMLSec cannot use to verify the signature.
Perhaps someone with more knowledge than myself can chime in on that, but for now, I'm happy to report that simply reversing the order in which the certs appeared in the IdP metadata file from Google allowed the signature to be verified.
I needed to include this setting as well. YMMV, seems like the default algo is sha1, but the key and output that i was calculating using the openssl utility was using sha256:
settings.idp_cert_fingerprint_algorithm = "http://www.w3.org/2000/09/xmldsig#sha256"
I built a simple Node.js app that worked with the Weather service. It worked fine for a while, but about 24 hours ago started returning this error:
{"metadata":{"version":"1","transaction_id":"1:1362317376","status_code":401},"success":false,"errors":[{"error":{"code":"AGW-0210","message":"Api not allowed for this api key."}}]}
I've double checked my authentication information and it is correct.
The 401 response indicates authentication failed. But it may also have been the service unavailable or a plan limit reached. Are you still seeing this problem? Is it intermittent? or continuously failing?
There is a brief explanation of the throttling of the API when it hits the limits of the plan that you selected. See here, in the bottom paragraph of the first section.
You can check the status of the Bluemix platform here.
I found a workaround for me, just delete the old service and create a new one.
This works fine for me.
I have just created an app in Customer Account Data section in
https://developer.intuit.com after signup.
Then I created a .NET application to get authorization after providing the details, I received just after app was successfully created like consumerKey and consumerSecret.
I am able to get the page that authenticate with my username but there is also an error like :
Oops! An error has occurred.
Please close this window and try again.
Error Code: invalid_database
Message: AppId cannot be <= 0, appId=-1
My main aim is to get back to the page which shows a successful authentication. I again checked my app in
https://developer.intuit.com/Application/List
and I see Status: Pending Review for that app.
I just want to test the authentication for a sample application.
How can I understand this review system? Do we have something like sandbox in PayPal for testing, and if so, how to get started with it?
Are you 100% positive that you have your OAuth key, secret, and your app token correctly entered in the config for your app?
You should not need to go through any sort of review process - you probably just have something entered/configured incorrectly.
I think you are confused between apps for Customer Account Data and Quickbooks.
If you created an app for CAD, then you need to upload a certificate too.
If you go to GITHUB sample app for CAD-
https://github.com/IntuitDeveloperRelations/IPP_Sample_Code->customer account data
You will see that it does not require the oauth callback url or any of the values, you have mentioned. All these values are required when you create a quickbooks sample application.
The above link has both the code samples for CAD as well as Quickbooks.
Please verify what you are looking for.
Most probably you were using wrong public-private key pair.
While setting up AggCat intergration, you had used one public key, but while doing SAML assertion you are not using the corresponding .key/.p12 file. Please verify that.
You can easily test this use case using APIExplorer tool.
https://developer.intuit.com/apiexplorer?apiname=CustomerAccountData
You can refer the following steps to get new tokens and test API calls.
Key generation using openssl - https://developer.intuit.com/docs/0020_customeraccountdata/007_firstrequest
After generating these keys, you can create a sample app with the public key. https://developer.intuit.com/docs/0020_customeraccountdata/009_using_customeraccountdata/0010_gettingstarted/0015_create_an_cad_integration
then use the .p12 file with pwd for SAML assertion in apiexplorer Link - https://developer.intuit.com/apiexplorer
Thanks