Forest Admin "Please verify that you amin is set up correctly"

Expected behavior

When using the correct FOREST_ENV_SECRET I am expecting to work.

Please describe here the behavior you are expecting.

Actual behavior

Screenshot 2021-03-26 at 10.41.01

On Browser console BE server raises a 500 when trying to access.

/forest/authentication/callback?error=UnauthorizedToAccessClientError&error_description=You are not allowed to access to this client&state={“renderingId”=>85890}

Please include any relevant log snippets, if necessary.

Generated a random auth_secret and used it.
Set the correct application_url
and used

curl -H "Content-Type: application/json" -H "Authorization: Bearer FOREST_ENV_SECRET" -X POST  -d '{"token_endpoint_auth_method": "none", "redirect_uris": ["APPLICATION_URL/forest/authentication/callback"]}'

To generate a token

Please provide any relevant information about your setup.

  • Package Version:6.1.1
  • Rails 6.1.3
  • Database Dialect:Postgres
  • Database Version: 12

Hello @berkos,

Just to be sure, did you use this request by replacing FOREST_ENV_SECRET inside the header Authorization: Bearer FOREST_ENV_SECRET by its actual value?

Can you send me by DM the last characters of the env secret you used, along with your project and environment names?

Also, can you share with me in DMs the client id that you generated?

Ok, so to sum up after several private messages:

  • Your generated client_id seems good
  • After checking the request sent by the browser to it appears that the provided client_id at this stage is not correct.

So there is probably a configuration problem on your agent. You have to provide this new client id value to your application, as stated in the docs.

Yes, this has happened. We identified that the server has the latest client_id. Forest App (Browser) seems to be sending an old value. Is there a chance you are caching it on your side?

In fact, this client id sent by the browser is the one that your application provides to the browser. The authentication is done in multiple steps:

  1. The browser contacts youserver/forest/authentication
  2. Your server responds with a url to contact on the forest admin api:[OTHER-PARAMS]
  3. The browser contacts the Forest Admin server on this URL
  4. The Forest Admin server authenticates the user that makes this call and returns an url on your server yourserver/forest/authentication/callback with a special code to finish the authentication process
  5. The browser contacts your server at the provided URL
  6. Your server checks the code and then creates a JWT that will authenticate the user on your server

You can see an incorrect clientId at step 2 because your server sends it to the browser. So I’m pretty sure that the configuration of your server is incorrect for this environment.

Thanks very much for explaining the detailed communication between Forest and Server. That will help for future debugging.

Hi @GuillaumeGautreau .
I went all they way creating a new client_id. I can verify in a rails console of that environment I am getting
The new client_id which I just generated by checking ForestLiana.forest_client_id . However the server from the Forest liana gem keeps sending an other value which is nowhere in an ENV variable or credentials.

I had a look on the source and looks like there is some caching on your side using Rails.cache

Apart from that I can see that my is present for that given url which means you are returning to me an old (deleted client) that does not exist anymore.

Only if that ( ) does not return a value you will only then try to generate this again using my ForestLiana.forest_client_id, here forest-rails/oidc_client_manager.rb at 3fb83d17e2cfa8aa6148f90eba1f62748e938135 · ForestAdmin/forest-rails · GitHub

Am I following this correctly?


Hi @berkos,

You are totally right, the client id is currently first retrieved from the cache, and only if it has not been found the application reads from the environment variable.

We will work on a fix to avoid this kind of mismatch between the client id and the env variable if provided.

In the meantime, is it possible for you to clear this cache entry? It will probably fix your problem.

Yes I did that and fixed the issue. Going forward, I think it would nice your cache_key to be a combination of the callback_url and the client_id.


1 Like

You are totally right, we will work on a fix that will probably work this way.

1 Like

Just for information, forest-rails version 6.3.1 fixed this issue by adding bot the callback url and the environment secret to the cache key.