No able to log in on local environement

I cannot access my localhost environment. A popup containing an error appears with the error “unable to authenticate you”.

My local server logs HTTP 200 for forest/authentication, but my network tab displays an error saying SecretNotFoundError.

Screenshot 2022-06-09 at 11.54.11

Screenshot 2022-06-09 at 11.57.06

Environment info:

id                 51261                                                            
 name               Localhost                                                        
 url                http://localhost:3310                                            
 active             true                                                             
 type               development                                                      
 liana              forest-express-sequelize                                         
 version            8.5.7                                                            

Project: TymeshiftFA

The FOREST_ENV_SECRET ENV var is properly set. Do I need to set anything in specific?
My server is a NodeJS/Express with Sequilize

Dependencies in use:

"forest-cli": "^2.6.11",
"forest-express-sequelize": "^8.5.7",

Help, please :slight_smile:

Hi @Raphael_Neves, welcome to the community :slight_smile: !

Do you have any error logs in your server locally?
Can you share the payload of the failing request too? (You should have a state property in the payload)


Hello @shohanr :wave:
Thanks for the welcoming :slight_smile:

Unfortunately, no errors are being displayed on my server.
You can check my request payload below as query params

code=...ZoLrud-4FwyZ& // should I share this code? not sure if it is sensitive
state: {"renderingId":66333}

Thanks in advance, mate.

Hey @Raphael_Neves,

Thanks for sharing this. I just check and it’s the right environment, it means that the FOREST_ENV_SECRET is well defined.

It means that the callback didn’t contact your server but another URL address.

  • Can you check again the failing call? (I’m not able to see the Request URL)
  • Have you defined any other environment variables like the APPLICATION_URL?
    The application URL should match your API endpoint in your case http://localhost:3310.

Let me know if it helps. :pray:

Kind regards,

Hey @morganperre :wave:
Thanks for your reply.

Yes, I have some other ENV VARS set on my side. Below you can find the schema:

    type: 'number'
    type: 'string'
    required: true
    type: 'string'
    required: true
    type: 'string'
    required: true
    type: 'string'
    required: true
    type: 'boolean'
    required: true
    type: 'string'
    required: true
    type: 'string'
    required: true
    type: 'string'
    required: true
    type: 'string'
    required: true
    type: 'string'
    required: true
    type: 'number'
    required: true
    type: 'string'
    required: true

About the request URL:

:point_up: This made me think that this URL is my dev environment and that I was doing something really wrong, and the conclusion is: at Tymeshift we are fetching the above-mentioned schema values from an internal vault, and I was pulling the dev keys instead of the local ones :roll_eyes:

I deleted my config.yml file, fetched again specifying the correct environment (local), and now I have a different error, in a different endpoint. Below you can find the compiled information:

Request URL failing:

client_id: ...-uMR6RVZ4XC4UEA
scope: openid email profile
response_type: code
redirect_uri: http://localhost:3310/forest/authentication/callback
state: {"renderingId":66333}

The error is different now:

{"errors":[{"status":400,"detail":"Invalid client id","meta":{},"name":"InvalidClientIdError"}]}

My env vars related to my local FA:

authSecret: ...9d8be9a2be
envSecret: ...2ece481dc2
clientId: ..._QT_1JATOiSo-uMR6RVZ4XC4UEA

And now I also got this error on my server logs:

[forest] 🌳🌳🌳  Unexpected error: Forest server request error: Client network socket disconnected before secure TLS connection was established
  "jse_shortmsg": "Forest server request error",
  "jse_cause": {
    "code": "ECONNRESET",
    "path": null,
    "host": "",
    "port": 443
  "jse_info": {},
  "stack": "VError: Forest server request error: Client network socket disconnected before secure TLS connection was established\n    at /Users/raphaelneves/Development/Repos/Forest-Admin/node_modules/forest-express-sequelize/node_modules/forest-express/dist/services/forest-server-requester.js:53:23\n    at Request.callback (/Users/raphaelneves/Development/Repos/Forest-Admin/node_modules/forest-express-sequelize/node_modules/superagent/lib/node/index.js:893:3)\n    at ClientRequest.<anonymous> (/Users/raphaelneves/Development/Repos/Forest-Admin/node_modules/forest-express-sequelize/node_modules/superagent/lib/node/index.js:810:12)\n    at ClientRequest.emit (node:events:402:35)\n    at ClientRequest.emit (node:domain:475:12)\n    at TLSSocket.socketErrorListener (node:_http_client:447:9)\n    at TLSSocket.emit (node:events:390:28)\n    at TLSSocket.emit (node:domain:475:12)\n    at emitErrorNT (node:internal/streams/destroy:164:8)\n    at emitErrorCloseNT (node:internal/streams/destroy:129:3)\n    at processTicksAndRejections (node:internal/process/task_queues:83:21)"


Hey @Raphael_Neves ,

Thank you for your detailed answer. :pray:

It means that your APPLICATION_URL was set to Did you change it to http://localhost:3310 ?

Ok ok. No problem.

That’s our guilty, you don’t need a CLIENT_ID in your development setup. It’s only needed in production for infrastructure with multiple backends running behind a load balancer for example.

Let me know if it helps this time. :slight_smile:

Kind regards,

Hey @morganperre ,
Yes, my APPLICATION_URL is now set to http://localhost:3310.

So, I have removed my CLIENT_ID var, and now the app is sending it as undefined, leading me to have the same error as before

{"errors":[{"status":400,"detail":"Invalid client id","meta":{},"name":"InvalidClientIdError"}]}

This is the endpoint failing: ``
The payload:
  1. client_id:undefined
  2. scope:openid email profile
  3. response_type:code
  4. redirect_uri:http://localhost:3310/forest/authentication/callback
  5. state:{“renderingId”:66333}

Ok, that’s super strange. Normally, our server gives you a proper client_id using your FOREST_ENV_SECRET. Then it uses this client_id to perform the OIDC challenge.

  • I’m not able to understand why the client_id is undefined in your case. Do you have FOREST_CLIENT_ID defined too? It should also be removed too.

I will try to see what can cause the issue on my side.

  • In the meanwhile could you send me in PM the response from your http://localhost:3310/forest/authentication endpoint?
    You should have an authorizationUrl in response (this URL is built into the agent using after calling our server to retrieve the client_id).

Really sorry for the inconvenience.

Kind regards,

Me again,

In the last scenario, you don’t have any error/logs on your local backend (server)?


No, I didn’t have any error on the server

1 Like

Hey @Raphael_Neves,

Did you see my previous message too ?

Oh, I didn’t. I am sending right away the response payload to you.
Regarding the FOREST_CLIENT_ID, this is not set on my side.

Normally, your agent should call /oidc/reg to register a new client_id. Can you restart your local server and give me the exact time you restart it ? (This way I should be able to track your call in our monitoring to see if I can find something)

I’m not sure to understand how your envs variables work, how your config.yml pass the environement variables to the agent ? Does it generated a .env ?

Another thought, can you share the way you integrated forest/you pass your environment variables to forest ?

Do you use external libs ? In an other thread an outdated version of google-auth-library makes things go crazy.

Kind regards,

Hey @morganperre , it worked :tada:
So, after your message about having somewhere else setting the FOREST_CLIENT_ID, I was digging the code and I found a very random piece of code that should not be there setting process.env.FOREST_CLIENT_ID=this._config.forest.clientId; :roll_eyes:

Basically, we have an internal tool that you pass a schema + a decoding token, and the env vars are populated from an internal vault.

Some lessons learned from this situation:

  1. We don’t need clientId for the local environment
  2. Our project was bad set, once the cliendId was a required prop on our schema
  3. We were setting a hook during the build phase to set the FOREST_CLIENT_ID to the node environment. If this was not present, we were set by default as undefined.

Thank you so much for the support and patience.
I am setting this as solved.

1 Like

@Raphael_Neves so glad to hear that. :pray:

That’s what I had in mind. Happy you find the culprit. :muscle:

You are welcome. Sorry that it took that much time to find the solution. I hope it will ease your development setup in the future.

Thanks for your time and patience.

Kind regards,