"Unable to authenticate you" Can't reach our server

Feature(s) impacted

Observed behavior

Expected behavior

Unable to access our forest backend, need to asap

Failure Logs

{“error”=>“invalid_grant”, “error_description”=>“You are not allowed to access to this client”, “state”=>“{“renderingId”=>32948}”}

Context

Project name: Spare Leash
Team name: Sitter Support
Environment name: Production
Agent type & version: forest_liana 7.2.2 (ruby)
Nothing has been updated recently

Hello,
When this error is occurred ?
Does it appeared when forest ask you to enter your 2fa code ?

Hello,

When we try to log in, says check our server is connected. We have checked multiple times, restarted and all is working fine on our end aside from forest.

We can’t even log into our account. Have reported this to the main admin I was speaking to April 27th. It’s now affecting business so if we could get this sorted asap it would be appreciated

Thanks you!

Can you share your server logs and the network logs from your browser when the bug is occurred ?
Sometimes, the adblock extension blocks the requests, did you try to disable it ?

Hello!

Of course, please see below the following the server logs:

2023-05-11T02:52:12.179400038Z app[web.1]: I, [2023-05-11T10:52:12.179141 #6] INFO – : [fa3a2aab-03e5-4666-9a85-39ec5ef3200a] Started POST “/forest/authentication” for 183.192.35.105 at 2023-05-11 10:52:12 +0800
2023-05-11T02:52:12.181074919Z app[web.1]: I, [2023-05-11T10:52:12.180934 #6] INFO – : [fa3a2aab-03e5-4666-9a85-39ec5ef3200a] Processing by ForestLiana::AuthenticationController#start_authentication as /
2023-05-11T02:52:12.181100691Z app[web.1]: I, [2023-05-11T10:52:12.181003 #6] INFO – : [fa3a2aab-03e5-4666-9a85-39ec5ef3200a] Parameters: {“renderingId”=>“32948”}
2023-05-11T02:52:13.141319681Z app[web.1]: I, [2023-05-11T10:52:13.141096 #6] INFO – : [fa3a2aab-03e5-4666-9a85-39ec5ef3200a] Completed 200 OK in 960ms (Views: 0.3ms | ActiveRecord: 0.0ms)
2023-05-11T02:52:13.907101322Z app[web.1]: I, [2023-05-11T10:52:13.906898 #6] INFO – : [96ccb8e1-32a0-4dc3-8e3d-5a790716b8b2] Started GET “/forest/authentication/callback?error=invalid_grant&error_description=You+are+not+allowed+to+access+to+this+client&state=%7B%22renderingId%22%3D%3E32948%7D” for 183.192.35.105 at 2023-05-11 10:52:13 +0800
2023-05-11T02:52:13.908917467Z app[web.1]: I, [2023-05-11T10:52:13.908805 #6] INFO – : [96ccb8e1-32a0-4dc3-8e3d-5a790716b8b2] Processing by ForestLiana::AuthenticationController#authentication_callback as /
2023-05-11T02:52:13.908992876Z app[web.1]: I, [2023-05-11T10:52:13.908882 #6] INFO – : [96ccb8e1-32a0-4dc3-8e3d-5a790716b8b2] Parameters: {“error”=>“invalid_grant”, “error_description”=>“You are not allowed to access to this client”, “state”=>“{"renderingId"=>32948}”}
2023-05-11T02:52:16.446874421Z app[web.1]: I, [2023-05-11T10:52:16.446642 #6] INFO – : [96ccb8e1-32a0-4dc3-8e3d-5a790716b8b2] Completed 500 Internal Server Error in 2538ms (Views: 0.2ms | ActiveRecord: 0.0ms)

and this is the error on the UI we get
We have tried on a clean browser, got the same error, no ad blocker on

Looking forward to hearing from you,

Erin

Hello @Erin3,

Could you please copy/paste:

  • the complete URL of the call to https://api.forestadmin.com/oidc/auth from your browser?
  • values for your configuration variables, please only include the last 3 characters from the ENV_SECRET and remove the AUTH_SECRET.

To get the complete URL of the call, you will need to display the developer tools, and switch to the network tab (click on “log in again” if you don’t see anything at first).

I need to check that the client_id sent by your agent is coherent for the environment you’re trying to access.

An incorrect value of this client_id could come from a misconfiguration of either the variable ENV_SECRET or maybe a FOREST_CLIENT_ID.

1 Like

Hello,

please see below

https://api.forestadmin.com/oidc/auth?client_id=eyJraWQiOiJFN3E2Q0FWNGxuWUtwNmdPTlFiaWlZOFhVUDVWSHhmS21VUHZRSnV0Q1Q4IiwiYWxnIjoiUlMyNTYifQ.eyJ0b2tlbl9lbmRwb2ludF9hdXRoX21ldGhvZCI6Im5vbmUiLCJyZWRpcmVjdF91cmlzIjpbImh0dHBzOi8vc3BhcmVsZWFzaC5jb20uY24vZm9yZXN0L2F1dGhlbnRpY2F0aW9uL2NhbGxiYWNrIl0sImFwcGxpY2F0aW9uX3R5cGUiOiJ3ZWIiLCJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiXSwicmVzcG9uc2VfdHlwZXMiOlsiY29kZSJdLCJlbnZpcm9ubWVudF9pZCI6MjkyMTYsImlzcyI6IkZPUkVTVF9BVVRIRU5USUNBVElPTl9TWVNURU0iLCJpYXQiOjE2MzM0MTE3ODd9.crB66LzmaVPbRLkS8WzYJgS58l4yPfM3v4pkm4JS6vwGZD-vnzzEdQSUE3pxaJglIwX5NveW8pUyrmavlbrga4vHxXzi75JFCV6HWTU4b-O6jLbr9C5SawFvorNCHa–brVOVLJJ2JbrG4572W2_K3GGuRE1i2v3kRIMDLsIViPAe2Sx1fxi9Z1ARoFaZZqruB8K7hkmS7r_f3ASxLo3tloF6RUILigt6YdlwVSTtdt6hL7uKtLu-IS1OrfvPgJIB9m_Oh9QVw4cs_xTz5VNPoeTGaT9JeJBToxHGCgZMNSwuEQcYp8iGYagd-5EXKJbo3t6jr00hXppcwYRBdwtRw&redirect_uri=https%3A%2F%2Fspareleash.com.cn%2Fforest%2Fauthentication%2Fcallback&response_type=code&scope=openid%20email%20profile&state=%7B%22renderingId%22%3D%3E32948%7D

Please also note that we didn’t change the server code or the configurations in recent months.

Thanks

Hello,

Thanks for sharing. Could you please also share with me the 2 other configuration variables that I asked you?

The URL you shared shows that there is a problem with the client id that is sent by the server: it references a deleted environment (which is a development environment).

So my best guess would be that a static FOREST_CLIENT_ID is configured on your server, and maybe also that the ENV_SECRET on your server is incorrect.

Hello,

Thanks so much for your feedback & suggestions

these are the two URL links I got back from the tech team;

FOREST_CLIENT_ID eyJraWQiOiJFN3E2Q0FWNGxuWUtwNmdPTlFiaWlZOFhVUDVWSHhmS21VUHZRSnV0Q1Q4IiwiYWxnIjoiUlMyNTYifQ.eyJ0b2tlbl9lbmRwb2ludF9hdXRoX21ldGhvZCI6Im5vbmUiLCJyZWRpcmVjdF91cmlzIjpbImh0dHBzOi8vc3BhcmVsZWFzaC5jb20uY24vZm9yZXN0L2F1dGhlbnRpY2F0aW9uL2NhbGxiYWNrIl0sImFwcGxpY2F0aW9uX3R5cGUiOiJ3ZWIiLCJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiXSwicmVzcG9uc2VfdHlwZXMiOlsiY29kZSJdLCJlbnZpcm9ubWVudF9pZCI6MjkyMTYsImlzcyI6IkZPUkVTVF9BVVRIRU5USUNBVElPTl9TWVNURU0iLCJpYXQiOjE2MzM0MTE3ODd9.crB66LzmaVPbRLkS8WzYJgS58l4yPfM3v4pkm4JS6vwGZD-vnzzEdQSUE3pxaJglIwX5NveW8pUyrmavlbrga4vHxXzi75JFCV6HWTU4b-O6jLbr9C5SawFvorNCHa--brVOVLJJ2JbrG4572W2_K3GGuRE1i2v3kRIMDLsIViPAe2Sx1fxi9Z1ARoFaZZqruB8K7hkmS7r_f3ASxLo3tloF6RUILigt6YdlwVSTtdt6hL7uKtLu-IS1OrfvPgJIB9m_Oh9QVw4cs_xTz5VNPoeTGaT9JeJBToxHGCgZMNSwuEQcYp8iGYagd-5EXKJbo3t6jr00hXppcwYRBdwtRw

ENV_SECRET 0c6c4[REDACTED]

Also from the tech team:

FOREST_CLIENT_ID is safe to share, ENV_SECRET may be not, we still have AUTH_SECRET that used to auth.

Is there something they are missing?

Hello @Erin3,

Sorry for the delay, I did not see your answer.

Please ask your tech team to remove the FOREST_CLIENT_ID from the configuration and it will work smoothly.

The parameter is not needed anymore since a release we made: servers are not required to specify the client id as the one generated from our side will always be the same for an environment (so it will work with multiple servers as well).

Env secrets are not meant to be shared publicly, as I asked you to only share the 3 first characters of it. For security reasons you would need to generate a new one once your setup will be fixed.

By the way, I checked you FOREST_CLIENT_ID and it’s related to a deleted development environment. So its value is clearly invalid for your production environment or any other one.

You should definitively remove it from the configuration, and you don’t need to set any replacement value.