Hi I keep getting 401 error on admin endpoints requests with Ory Community #ory-network

Hi! I keep getting 401 error on /admin/* endpoints...

busy-pizza-65563

10/20/2022, 1:52 PM

Hi! I keep getting 401 error on /admin/* endpoints requests with Authorization: Bearer {PAT}, and it started just a few minutes ago. We are on paid account, I'm not an owner, tried with older PAT and newly created PAT – same effect. I checked the docs, there are no updates on authorization, but maybe I missed something? Has something chenged? Is something wrong with our project? Or is it a whole platform-related issue? P.S.: Should I create a github issue for this?

magnificent-energy-493

10/20/2022, 2:05 PM

I will investigate Stanislav and get back to you in a bit.

magnificent-energy-493

10/20/2022, 2:07 PM

Hm on my demo project it works fine, both with old PAT and newly created. I will escalate to the team. Can you share your project slug please?

busy-pizza-65563

10/20/2022, 2:08 PM

stoic-darwin-l9lmzvz6dk

worried-kitchen-94392

10/20/2022, 2:08 PM

Hello there, could you please verify if the problem persists within the next 5min?

busy-pizza-65563

10/20/2022, 2:08 PM

I also tried to log in via ory cli, got 503

busy-pizza-65563

10/20/2022, 2:09 PM

@worried-kitchen-94392, yes

high-optician-2097

10/20/2022, 2:13 PM

Can you give a curl request (or SDK call) of what you’re doing?

busy-pizza-65563

10/20/2022, 2:19 PM

Copy code

curl <https://stoic-darwin-l9lmzvz6dk.projects.oryapis.com/admin/identities/7900ceb3-25fa-463e-bd3b-c57963093ae7> \
   -H "Accept: application/json" \
   -H "Authorization: Bearer {PAT}"

busy-pizza-65563

10/20/2022, 2:20 PM

The response is:

Copy code

{
  "error": {
    "code": 401,
    "status": "Unauthorized",
    "request": "9bf3ea85-c7e9-9e60-9a29-60ba53056b8b",
    "message": "Access credentials are invalid"
  }
}

busy-pizza-65563

10/20/2022, 2:24 PM

Works now

busy-pizza-65563

10/20/2022, 2:24 PM

It works with a newly generated token. Old one doesn't work, while it is still listed

worried-kitchen-94392

10/20/2022, 2:29 PM

well, good to know it works now, we will investigate what has happened 🙂 Thanks for the info

busy-pizza-65563

10/20/2022, 2:32 PM

It could be Cloudflare issue. I checked it via Postman and Ory responded with error once again. I removed

__cflb

cookie, and the request went through successfully.

worried-kitchen-94392

10/20/2022, 2:34 PM

@stocky-king-5626 could it be cloudflare caching?

red-sugar-49451

10/20/2022, 2:39 PM

Hmmm, right now the

__cflb

should not change the behavior, as the request will end up on the same backend anyway.

busy-pizza-65563

10/20/2022, 2:44 PM

To reproduce via postman: • make any request with PAT • check if postman saved

__cflb

cookie • make the same request again (it should send the cookie too) – it ends up with 401 error • remove the cookie • repeat request – it is successful

high-optician-2097

10/20/2022, 3:01 PM

Hm, i can’t reproduce this in Postman 😕 Not sure what’s going on

high-optician-2097

10/20/2022, 3:07 PM

This is what I did in curl:

Copy code

curl -X GET -H "Authorization: Bearer $PAT" -H "Cookie: __cflb=0pg1NzeikcL87UC55K2NZzNkiMfk1RPhaFFVXo31" <https://wonderful-babbage-e60xslmh16.projects.oryapis.com/admin/identities>

high-optician-2097

10/20/2022, 3:08 PM

if you have a reproducible curl command that is flaky that would be tremendously helpful, you can also send it via PN

busy-pizza-65563

10/20/2022, 3:22 PM

Oh, well, there is one more thing I forgot to mention: we use custom domain. Postman hides redirect from me, but when I do it with curl I get this in response body:

Copy code

<a href="<https://auth.dev.headframe.io/admin/identities/e036f842-364d-4266-be0d-cabf8f9d95d8>">Temporary Redirect</a>.

high-optician-2097

10/20/2022, 3:29 PM

If you can share what request you’re doing exactly in postman, share the collection, or copy/paste the curl in a PN that would be tremendously helpful. We were unable to reproduce the issue and can not find an issue in our monitoring related to this. Thank you! 🙂 You can revoke the personal access token once we have it reproduced!

busy-pizza-65563

10/20/2022, 3:29 PM

Ok, give me a moment...

busy-pizza-65563

10/20/2022, 3:36 PM

Shared exact request / response pairs to your DM

high-optician-2097

10/20/2022, 3:39 PM

Thank you, that is really valuable. The problem is that if a cookie is set, we automatically redirect to the custom domain because we think that the request is coming from a browser and it should be sent to the custom domain. The problem here being that the

Authorization

header apparently is not included on the redirected request, which ends up with a 401. If you do

Copy code

curl -L <https://auth.dev.headframe.io/admin/identities/e036f842-364d-4266-be0d-cabf8f9d95d8> \
   -H "Accept: application/json" \
   -H "Authorization: Bearer ..." \
   -H "Cookie: __cflb=0pg1S3Ro4fXTRGA6anYK6AkQyWTgApNdpS9TdLLb"

it does work as expected. I also didn’t know that 307 won’t include the

Authorization

header again. We will see if there is something that we can do to fix this

high-optician-2097

10/20/2022, 3:42 PM

https://stackoverflow.com/questions/28564961/authorization-header-is-lost-on-redirect

high-optician-2097

10/20/2022, 4:12 PM

Did this help @busy-pizza-65563 ? 🙂

busy-pizza-65563

10/20/2022, 8:06 PM

Thank you! Following your research, I found a built-in Postman solution:

busy-pizza-65563

10/20/2022, 8:06 PM

Works like a charm, thanks a lot!

13 Views

Open in Slack

Previous Next