Parameter [prompt] value is invalid

  • 1
  • Problem
  • Updated 9 months ago
I am attempting integrate a program with Authorization Code Flow using cURL; I use Coldfusion, so I have adapted my code based the documentation, but you should be able to understand the URL variables that I am passing:

<cfhttp   
    
    method="get"
    url="https://platform.devtest.ringcentral.com/restapi/oauth/authorize";
    resolveurl="yes"
    getasbinary="never"
   
>

<cfhttpparam type="header" name="content-type" value="application/x-www-form-urlencoded">

<cfhttpparam type="url" name="response_type" value="code">
<cfhttpparam type="url" name="client_id" value="#client_id#">
<cfhttpparam type="url" name="redirect_uri" value="#redirect_uri#">
<cfhttpparam type="url" name="state" value="#state#">
<cfhttpparam type="url" name="prompt" value="login">

</cfhttp>

When I execute the code, it processes and displays code that can only execute if the redirect_uri is executed, therefore, the Ringcentral server is forwarding to the redirect_uri.

Here's what my server finds the following variables on dumping variables off of the redirect_uri page:

error: invalid_request 
error_description: Parameter [prompt] value is invalid 
state : ydcm2ud3d2edvLde911nvev9zwvhLiLztzkhh4qmyc6beg44se

1) The only variable that is passed to my redirect_uri page is "state"

2) The error does not make sense.  The prompt variable value is correct.  The documentation says use "login".

I am trying to a response so I can get access token and refresh tokens so I can interact with the API calls.

Please advise....
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb

Posted 9 months ago

  • 1
Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,934 Points 2k badge 2x thumb
Please try using "login consent" pair for now or just do not pass this parameter at all. Our implementation is not 100% compatible with other vendors OAuth implementation, we are fixing it next release.
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
I can try removing the parameter and see if that works, but in my experience APIs throw-error when you leave off required parameters.

Also, as an alternative, what do you mean by "use "login consent" pair for now?"
Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,934 Points 2k badge 2x thumb
"prompt" is not a required parameter, as far as I know. 

I mean specifying "prompt=login%20consent" also helps.
In your example it probably means:

<cfhttpparam type="url" name="prompt" value="login consent">
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
Thanks for the help.

Ok. I tried both and I get the same error.  So, I removed it as you suggested and changes happened.


Now, it's redirecting me as follows:


https://www.MYSERVER.com/login/unifiedLogin.html?session=-XXXXXXXXXXXXXX&6597080091492620690&responseType=code&clientId=MYCLIENTID&brandId=BRANDID&state=rct7dor1i5479Le8n2ca4e5xLt3dv0d6kn4hug23nnn3tckua0&localeId=en_US&endpointId=&display=page&prompt=login%20consent%20sso&scope=&appUrlScheme=https%3A%2F%2Fwww.MYDOMAIN.com%2Fsubprocesses%2Fringcentral%2FringCentral_callback.cfm&ui_options=&hideNavigationBar=true<br>
Obviously, it's throwing a 404 error because it's trying to get this path is not on my server.

It appears to be attempting to allow me to login, but for whatever reason it's trying to run the path off of my server.
Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,934 Points 2k badge 2x thumb
The first request to https://platform.devtest.ringcentral.com should redirect you first to login form which is (if I am not mistaken) is on service.devtest.ringcentral.com or login.devtest.ringcentral.com host. So if you see this kind of redirect it is a correct one - it should bring login form to your browser.
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
That's what I thought, but it isn't prompting me with the login form...it's trying to use the path off my server as opposed to Ringcentral's server.  I know this process works, because I have authorization working on Google's API...

Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,934 Points 2k badge 2x thumb
This is pretty strange. Looks that some party intercepts the redirect and substitutes the host name with your server name.  Actually authorization code flow should be initiated from browser JS in your case to work properly (since you suppose to get a redirect directly to browser). If this first call is actually initiated by your backend it will not work (unless your backend passes the full redirect URI to a browser client somehow).
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
I am initiating it from my backend server. That website domain is my website that is being replaced.


I know with Google Authorization Flow, it brings up Google's page, I login, it passes it to my redirect URI which grabs the access tokens and refresh tokens from the JSON string that is passed and I am on my way.  It should work the same....

Are you saying you can't initiate the authorization flow from the backend (I know others have with PHP which means CF should be able to do it) or are you saying in my case I must use JS?  I would like to avoid JS.

When you say my backend must pass the full redirect URI to the browser client, I am not following you....I can pretty much do anything with CF, but if you are saying that the authorization flow must be on the client side, then it can't be done.
Photo of Tyler Long

Tyler Long, Official Rep

  • 8,502 Points 5k badge 2x thumb
I am not sure the process is correct. Please read the 4-steps guide here: https://github.com/tylerlong/ringcentral-python#authorization-code-flow-3-legged-authorization-flow

So for step #1, what is the uri in your case?
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
It's here and defined above in code like this:

<cfset redirect_uri = "MYREDIRECTURI.com" />

<cfhttpparam type="url" name="redirect_uri" value="#redirect_uri#">

I don't think that's the issue....
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
It's been a week.  I appreciate the help from some of you on this forum, however, Ringcentral's lack of response from the Developer team is disappointing.

I have used this code with Google's API and it works, so I know my authorization flow works with them...
Photo of Tyler Long

Tyler Long, Official Rep

  • 6,238 Points 5k badge 2x thumb
Could you please try the process using this SDK? https://github.com/tylerlong/ringcentral-python#authorization-code-flow-3-legged-authorization-flow  Write some Python code and let's see whether it works. It if does, then we know your account has no problem. Otherwise it's might be your account's issue instead of a programming issue.
(Edited)
Photo of Tyler Long

Tyler Long, Official Rep

  • 6,238 Points 5k badge 2x thumb
If you don't want to write code manually. You can try to run any of the demos here: https://github.com/ringcentral/ringcentral-demos-oauth Choose your favorite language and try to make it work.

We will see if it's a account issue or programming issue.
Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,612 Points 2k badge 2x thumb
Jason, we are not experts in ColdFusion. Your case is pretty unique and I guess that it works with Google because they do not have intermediary redirects. Just curios if removing "resolveurl" parameter helps in your case?

Actually this post refers the same problem as you have: http://www.codersrevolution.com/blog/CFHTTP-doesnt-resolve-URLs-properly-on-redirect
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
I tried setting resolveurl to "no" previously and it didn't help, because that was actually the first thing I thought of.  I thought maybe my server is fooling with the mappings.

I completely understand that Coldfusion is not a common code, however, the behavior of what is happening is what I am looking for guidance on...that's not a code thing...that's general error that could affect all people regardless of the code.

I have used CFHTTP for cURL operations for other Auth2.0 situations and I don't have trouble with the authorization window in those situations....it's obviously processing, because it's redirecting me, yet it's escaping your web server.

CFHTTP is simple....it returns exactly what it is returned from the server and here:

<cfoutput>#cfhttp.FileContent#</cfoutput>

It's returning "login/unifiedLogin.html?session=......." without mapping to the full domain, so my server is taking over thinking the folder is there.

It's like your server is returning /login/unifiedLogin.html?...." as opposed to mapping it completely with the full URL, so what does my server do? It say..."oh you must want to map it to  "login/unifiedLogin.html?session=......." which have I have no such mapping.

"https://service.ringcentral.com/login/unifiedLogin.html?......"

So I can confirm it's not something on my end, please confirm this:

1) Is my url correct: https://platform.devtest.ringcentral.com/restapi/oauth/authorize

2) On processing on your side in the API, when the login window is requested and passed back to me....is the entire URL mapped with "https://service.ringcentral.com/" on your end?  If it isn't, then that will cause problems with some users based on how some servers handle call backs.

Thanks.
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
I will add something else....Tyler's favorite answer to everyone is to point people to your code examples...why not spend a little time and let's get a working CF example for folks...believe me...there are a lot of applications out there that use CF.
Photo of Tyler Long

Tyler Long, Official Rep

  • 6,238 Points 5k badge 2x thumb
I really have no idea of CF. Maybe it's time to learn a new programming language or framwork. LoL.
Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,934 Points 2k badge 2x thumb
Jason, regarding your questions:

1) Yes, your URL is correct

2) Here is the call I made and traced for your reference. So you can see that our server returns full URL in the path.

GET https://platform.devtest.ringcentral.com/restapi/oauth/authorize?
  client_id=...&redirect_uri=...&response_type=code&state=... HTTP/1.1
Accept-Encoding: gzip,deflate
Host: platform.devtest.ringcentral.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5) 


HTTP/1.1 302 Found Server: nginx/1.10.2 Date: Mon, 12 Mar 2018 20:02:45 GMT Content-Length: 0 Connection: keep-alive X-Application-Context: application:8080 Location: https://service.devtest.ringcentral.com/mobile/loginDispatcher? responseType=code&clientId=...&brandId=1210&state=...&localeId=en_US& endpointId=&session=-2915783893910517926&display=page& prompt=login%20consent%20sso&scope=& appUrlScheme=...&ui_options=&hideNavigationBar=true
I pointed you earlier to this post: http://www.codersrevolution.com/blog/CFHTTP-doesnt-resolve-URLs-properly-on-redirect. So maybe you need to check with ColdFusion support.
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
Ok....I read that article and it didn't help, but I didn't double-check his work before I tried it...his use of an attribute of CFHTTP was wrong:

redirect="False"

to correct the problem.  That's not right after checking the CF documentation...it's this:

redirect="no"

After doing that, I am getting this:

{ "errorCode" : "AGW-401", "message" : "Authorization header is not specified", "errors" : [ { "errorCode" : "AGW-401", "message" : "Authorization header is not specified" } ] }

At this there is progress....
Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,934 Points 2k badge 2x thumb
Aren't you calling the wrong URL "/restapi/oauth/token" instead of "/restapi/oauth/authorize" in this request?
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
Ok that is my fault..when I made my other changes, I copied the wrong link.  

Retested...it didn't redirect now and the header returned:

Status Code: 302
RCRequestId: fc121d0e-263d-11e8-8b21-005056bb26b9


Thanks for the continued help.
Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,934 Points 2k badge 2x thumb
So, Jason, do you have any other questions about this issue?
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
Anton, 

You have been very helpful which I really appreciate.

My page does not redirect after processing and does not return the Authorization Window.

I posted the Status Code and RCRequestId from the header response.

Jason
Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,934 Points 2k badge 2x thumb
Did you try to apply the workaround suggested in the article? The idea is not using built-in CF handling for redirect but to implement it in the code.
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
Yes and it returns this:

{ "errorCode" : "CMN-301", "message" : "Request rate exceeded", "errors" : [ { "errorCode" : "CMN-301", "message" : "Request rate exceeded" } ] }
Photo of Jason

Jason

  • 450 Points 250 badge 2x thumb
I doubt that's the issue...i turned off the redirect attribute by marking it "no" and I have used this code with other Authorization platforms....

It is yielding a different result...a blank page and I can provide you the response header if you want it.

The Status Code 302 should tell us something.
Photo of Anton Nikitin

Anton Nikitin, Official Rep

  • 2,934 Points 2k badge 2x thumb
302 is a normal HTTP redirect code. When you set redirect=no, ColdFusion server was instructed to turn off automatic redirect processing, so it returns just what it got from server. The code with loop in the code snippet from the article showed how to handle such response in your code to work around CF issue.