Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-30199

Problem oAuth2 between Nuxeo and Frame.io

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: OAuth
    • Epic Link:
    • Tags:
    • Sprint:
      nxApps 2021 Cycle 2, nxApps 2021 Cycle 3

      Description

      Following our meeting, find the step to reproduce the oAuth2 error. Regarding the previous captured video, please forget it as Billy got a misconfiguration related to the redirect_uri and not the state (that’s also an important part of the configuration but not our state problem)

       

      On the Frame.io part, you must have a valid account (email/password). You can create a quick one here : https://accounts.frame.io/welcome

      Once your account created, connect and execute the following tasks :

       ++ 

      1. **Oauth2 App configuration in Frame.io

       

      Go to https://developer.frame.io/app/oauth-apps/new

       

      Add a new configuration on Frame.io website allowing a Nuxeo instance to access Frame.io API. Change the part in red with your proper Nuxeo configuration.

       

       

       

       

      • NAME

      Define a name (No matter which value)

      • REDIRECT URIS

      Callback URL from Nuxeo using pattern YOUR_NUXEO_URL*/*NUXEO_CONTEXT/site/oauth2/OAUTH2_SERVICE_NAME_DECLARED_IN_NUXEO/callback

                     Part in red must be change

      Part in green must be defined as it

       

                     In the following screenshot of our platform, we defined :

      YOUR_NUXEO_URL with value https://dm-nuxeo-demo.oceaneconsulting.com

      NUXEO_CONTEXT with value  demo

      OAUTH2_SERVICE_NAME_DECLARED_IN_NUXEO with value  frameio

      • Do not select Uses PKCE
      • On the scopes list, check Offline / Accounts.Read / Team.Read

       

      Click on Submit

       

      Once created, you should have a screen with your created oAuth2 App like :

       

       

      Please copy values generated for Client ID and Client Secret, we will reuse this value in Nuxeo configuration

       

      Configuration completed on Frame.io

       2.**Declare an oAuth2 Provider for « Frame.io » in Nuxeo

       

      • Connect to your Nuxeo instance as an Administrator (WebUI)
      • Click on « Administration » link (bottom/left) and the on « Cloud Services » link
      • Click on « Add » button to add a new oAuth2 Service Provider
      • Provide following informations:

       

      Service Name : Define the name used previously in OAUTH2_SERVICE_NAME_DECLARED_IN_NUXEO so frameio in our case

      Description : No constraint, you can set « Frame.io Provider » for example

      Client ID : previously copied value from Frame.io

      Client Secret : previously copied value from Frame.io

      Authorization Server URL : https://applications.frame.io/oauth2/auth

      Token Server URL : https://applications.frame.io/oauth2/token

      User Authorization URL : <LEAVE IT EMPTY>

      Scopes : Specify the list of checked scopes in Frame.io, with a space between each itemso for our case : account.read offline team.read

      • Check the Enabled checkbox

       

      Sample :

       

       

      Once created, the provider must appear in the list as frameio service name:

       

       3 **Testing the « Frame.io » oAuth2 provider from Nuxeo

       

      • Connect to Nuxeo instance as a user or keep your session as administrator in WebUI
      • Cliquer sur the « User Settings » link bottom/left and then on « Cloud Services »
      • Click on the dedicated « Frame.io » button in « Connect to » part
      • A popup will appear but closing fastly. Intercepting the popup before closing will give you the following message:

       

      https://dm-nuxeo-demo.oceaneconsulting.com/demo/site/oauth2/frameio/callback?error=invalid_state&error_description=The+state+is+missing+or+has+less+than+8+characters+and+is+therefore+considered+too+weak&error_hint=Request+parameter+"state"+must+be+at+least+be+8+characters+long+to+ensure+sufficient+entropy.&state=

       

       

      In that case, Nuxeo is not providing the « state » parameter to Frame.io so the authentication process is not launched. We have simulated the behavior with a Python server available here.

       

      This POC here demosntrates it :

       

      1. Go to https://dm-frameio-demo.oceaneconsulting.com/
      2. Click on the first link, authenticate, done : you have access to REST API
      3. Go to https://dm-frameio-demo.oceaneconsulting.com/
      4. Click on the second link, you’re not able to authenticate with message : « Error: invalid_state »

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 days
                  3d