Problem oAuth2 between Nuxeo and Frame.io

Following our meeting, find the step to reproduce the oAuth2 error. Regarding the previous captured video, please forget it as Billy got a misconfiguration related to the redirect_uri and not the state (that’s also an important part of the configuration but not our state problem)

 

On the Frame.io part, you must have a valid account (email/password). You can create a quick one here : https://accounts.frame.io/welcome

Once your account created, connect and execute the following tasks :

 ++ 

1. **Oauth2 App configuration in Frame.io

 

Go to https://developer.frame.io/app/oauth-apps/new

 

Add a new configuration on Frame.io website allowing a Nuxeo instance to access Frame.io API. Change the part in red with your proper Nuxeo configuration.

 

 

 

 

• NAME

Define a name (No matter which value)

• REDIRECT URIS

Callback URL from Nuxeo using pattern YOUR_NUXEO_URL*/*NUXEO_CONTEXT/site/oauth2/OAUTH2_SERVICE_NAME_DECLARED_IN_NUXEO/callback

               Part in red must be change

Part in green must be defined as it

 

               In the following screenshot of our platform, we defined :

YOUR_NUXEO_URL with value https://dm-nuxeo-demo.oceaneconsulting.com

NUXEO_CONTEXT with value  demo

OAUTH2_SERVICE_NAME_DECLARED_IN_NUXEO with value  frameio

• Do not select Uses PKCE

• On the scopes list, check Offline / Accounts.Read / Team.Read

 

Click on Submit

 

Once created, you should have a screen with your created oAuth2 App like :

 

 

Please copy values generated for Client ID and Client Secret, we will reuse this value in Nuxeo configuration

 

Configuration completed on Frame.io

 2.**Declare an oAuth2 Provider for « Frame.io » in Nuxeo

 

• Connect to your Nuxeo instance as an Administrator (WebUI)

• Click on « Administration » link (bottom/left) and the on « Cloud Services » link

• Click on « Add » button to add a new oAuth2 Service Provider

• Provide following informations:

 

Service Name : Define the name used previously in OAUTH2_SERVICE_NAME_DECLARED_IN_NUXEO so frameio in our case

Description : No constraint, you can set « Frame.io Provider » for example

Client ID : previously copied value from Frame.io

Client Secret : previously copied value from Frame.io

Authorization Server URL : https://applications.frame.io/oauth2/auth

Token Server URL : https://applications.frame.io/oauth2/token

User Authorization URL : <LEAVE IT EMPTY>

Scopes : Specify the list of checked scopes in Frame.io, with a space between each itemso for our case : account.read offline team.read

• Check the Enabled checkbox

 

Sample :

 

 

Once created, the provider must appear in the list as frameio service name:

 

 3 **Testing the « Frame.io » oAuth2 provider from Nuxeo

 

• Connect to Nuxeo instance as a user or keep your session as administrator in WebUI

• Cliquer sur the « User Settings » link bottom/left and then on « Cloud Services »

• Click on the dedicated « Frame.io » button in « Connect to » part

• A popup will appear but closing fastly. Intercepting the popup before closing will give you the following message:

 

https://dm-nuxeo-demo.oceaneconsulting.com/demo/site/oauth2/frameio/callback?error=invalid_state&error_description=The+state+is+missing+or+has+less+than+8+characters+and+is+therefore+considered+too+weak&error_hint=Request+parameter+"state"+must+be+at+least+be+8+characters+long+to+ensure+sufficient+entropy.&state=

 

 

In that case, Nuxeo is not providing the « state » parameter to Frame.io so the authentication process is not launched. We have simulated the behavior with a Python server available here.

 

This POC here demosntrates it :

 

1. Go to https://dm-frameio-demo.oceaneconsulting.com/
2. Click on the first link, authenticate, done : you have access to REST API
3. Go to https://dm-frameio-demo.oceaneconsulting.com/
4. Click on the second link, you’re not able to authenticate with message : « Error: invalid_state »