🚨 Forest down (SSL issue) - Trouble logging in - error 400: Invalid client id 🚨

Expected behavior

Users can login.

Actual behavior

Users can’t login.

Failure Logs



Context

Please provide any relevant information about your setup.

  • Package Version: Rails 6, Forest Liana 6
  • Project Name: okarito

Hello @remi_okarito,

The error shown in the console seems to be related to your certificate, can you check that it is still up to date?

Hello @anon16419211 sure, I’ll check.

Our app is working fine on our side.

I confirm our SSL certificates are valid.

Hi there, we have the same issue

Hi everyone, and thanks @remi_okarito for the heads up.

:rotating_light: We’re encountering an issue with our application currently SSL certificate. As a result, users can’t login to app.forestadmin.com. Our engineering team is working to identify the root cause and fix the issue. We apologize for any inconvenience and we’ll keep you updated on the status.

You can follow the progress of this incident right here - Trouble logging in | ForestAdmin

@remi_okarito @Amael-ApiBots and all,

It only concerns the projects that are running on the v7 or v8.

To resolve this issue,

  • Customers not using a static FOREST_CLIENT_ID need to restart their server to log in back to Forest Admin.

  • Customers using a static FOREST_CLIENT_ID will need to regenerate it on all environments and restart their servers.

See how to generate it:

curl -H "Content-Type: application/json" \
     -H "Authorization: Bearer FOREST_ENV_SECRET" \
     -X POST \
     -d '{"token_endpoint_auth_method": "none", "redirect_uris": ["APPLICATION_URL/forest/authentication/callback"]}' \
     https://api.forestadmin.com/oidc/reg

Let us know if that helps.

I’m getting 400 errors when running


curl -H “Content-Type: application/json”
-H “Authorization: Bearer {my forest env secret}”
-X POST
-d ‘{“token_endpoint_auth_method”: “none”, “redirect_uris”: [“https://api.okarito-internal.com/forest/authentication/callback”]}’
https://api.forestadmin.com/oidc/reg

{"errors":[{"status":400,"detail":"Error - 400"}]}{"errors":[{"status":400,"detail":"Error - 400"}]}% 

I’ll keep investigating

Hi Louis,

I using static FOREST_CLIENT_ID, I run this request received one token, restarted the server but no resolve for me.

My environment_id is 51085
Thanks!

Hi Louis,

Same here, the request seems to work, i receive a “client_id” token, but we still can’t login.
Are we supposed to do something with this client_id ? Our config only uses FOREST_ENV_SECRET and FOREST_AUTH_SECRET.

My environment_id is 35172 and we use Node.js

Thanks in advance

Hi @louiss, I believe you still have SSL problems

Hi,
If this helps - After generating a new client Id successfully.
The Forest admin uses it - but looks like the callback URL structure does not match.

Here is the error payload I see from the call to https://api.forestadmin.com/oidc/auth on the browser side:
(Status 400 - I replaced our real host name with )

{"errors":[
{"status":400,
"detail":"The redirect uri must be one of https://<hostname>/forest/authentication/callback. Received \"https://<hostname>:443/forest/authentication/callback\"","meta":{},"name":"InvalidRedirectUriError"}
]}

I assume that port addition is not tolerated - or maybe it’s something deepeer.

Try a full URL for the callback - not just the hostname?

Worked on our side, we’re restarting the servers now

3 Likes

Yes,
It’s confirmed - we are able to login.

So please generate the new client Id while specifying the callback url in both forms - with and without the port.
The working call looked like this:

curl -H "Content-Type: application/json" \
     -H "Authorization: Bearer <my env secret>" \
     -X POST \
     -d '{"token_endpoint_auth_method": "none", "redirect_uris": ["https://<hostname>/forest/authentication/callback","https://<hostname>:443/forest/authentication/callback"]}' \
     https://api.forestadmin.com/oidc/reg
2 Likes

Hello Remi
Did it work completely from your side ?

On our side we’re still facing SSL errors after resetting our client ID

@remi_okarito From what I see, it looks like your forest server - calls out to get a token from the code - and that call is against a server (Forest’s own Oauth provider) - and that call has an invalid SSL cert.
I wonder if the cert be somehow cached on your server side - since I assume my servers (who are able to validate the code for a token) are able to call that Forest server and would not report an error.

Remi,
The URL called by your server to validate the code is:
https://api.forestadmin.com/liana/v2/renderings/<renderingid>/authorization
From looking at the source code of forest-express.

Checking the SSL on this endpoint looks good - see here.

  • Do you have the a value set for the env. variable FOREST_URL ? otherwise you use the default which is the above.
  • Can you try and CURL this url:
    curl https://api.forestadmin.com/liana/v2
    from your forest admin server to see if the SSL is valid? you should get something like this if the SSL is valid:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /liana/v2</pre>
</body>
</html>

This is exactly what I’m getting