HTTPRequest returned with 401-Access token is addressed to a different audience Error

engowen · August 18, 2020, 10:24am

Hi, I’ve an OAtuh2 credential with parameters access_type=offline&prompt=consent . The credential test was fine and I’m using docker image 0.78.

Once associated the Oauth2 credential to a HTTPRequest, I received the following error message:

Error: No refresh token`
at ClientOAuth2Token.refresh (/usr/local/lib/node_modules/n8n/node_modules/client-oauth2/src/client-oauth2.js:367:27)
at /usr/local/lib/node_modules/n8n/node_modules/n8n-core/dist/src/NodeExecuteFunctions.js:61:42
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async Object.execute (/usr/local/lib/node_modules/n8n/node_modules/n8n-nodes-base/dist/nodes/HttpRequest.node.js:730:32)
at async /usr/local/lib/node_modules/n8n/node_modules/n8n-core/dist/src/WorkflowExecute.js:370:47

Any idea what went wrong? My HTTPRequest as below:

{
“nodes”: [
{
“parameters”: {
“authentication”: “oAuth2”,
“url”: “http://zlp-sdx-sql-01/test_fserver/api/v1/Areas/$count”,
“responseFormat”: “string”,
“options”: {},
“headerParametersUi”: {
“parameter”: [
{
“name”: “SPFConfigUID”,
“value”: “PL_PlantA”
}
]
}
},
“name”: “HTTP Request”,
“type”: “n8n-nodes-base.httpRequest”,
“typeVersion”: 1,
“position”: [
530,
410
],
“credentials”: {
“oAuth2Api”: “testSPFAuth”
}
}
],
“connections”: {}
}

jan · August 18, 2020, 10:49am

Sounds like the credentials did expire, n8n tried to get a new one with the refresh-token but there was none.
Are you sure the system you are authenticating with does return a refresh-token?

engowen · August 18, 2020, 11:05am

The identityserver3 refresh token is defaulted as below:

Within seconds of the credential test, I’d ran the httprequest workflow. Why does it required to refresh the token as based on the token limit it hasn’t expiry.

engowen · August 18, 2020, 11:19am

I managed to gone pass the refresh token error after appending the scope with access_offline separated by space.

However I’d encountered a different error:
ERROR: 401 - {“error”:{“code”:"",“message”:“Access token is addressed to a different audience.”}}

jan · August 18, 2020, 11:55am

The error message Access token is addressed to a different audience. gets thrown from identityserver3 and not n8n. So in this case you would have to probably check there what is going wrong.

engowen · August 18, 2020, 7:10pm

I think the token’s aud is targeted to a specific value, doesn’t seems the callback is sending the OAuth parameter which on my case required to identify the API resource ID. I tried to use Fiddler to get the response token but it didn’t capture any 401 response.

Any idea how can i get the token response using httprequest as I thought of decoding the token using jwt.io to check the aud value. I’d attempted to send a post request to the token URL but got an error which is due to content-type header value application/x-www-form-urlencoded.

{
“nodes”: [
{
“parameters”: {
“requestMethod”: “POST”,
“url”: “http://----fconfigsvc/spfauthentication/oauth/connect/token”,
“allowUnauthorizedCerts”: true,
“responseFormat”: “string”,
“options”: {},
“bodyParametersUi”: {
“parameter”: [
{
“name”: “resource”,
“value”: “EE9C5479-A52E-4D11-80AE-BFDDCE9A603F”
},
{
“name”: “scope”,
“value”: “ingr.api”
},
{
“name”: “client_id”,
“value”: “----1fclient-postman”
},
{
“name”: “client_secret”,
“value”: “—fsecret”
},
{
“name”: “grant_type”,
“value”: “password”
},
{
“name”: “username”,
“value”: “superuser”
},
{
“name”: “password”,
“value”: “1”
}
]
},
“headerParametersUi”: {
“parameter”: [
{
“name”: “Accept”,
“value”: “application/json,application/vnd.intergraph.data+json”
},
{
“name”: “content-type”,
“value”: “application/x-www-form-urlencoded”
}
]
}
},
“name”: “HTTP Request”,
“type”: “n8n-nodes-base.httpRequest”,
“typeVersion”: 1,
“position”: [
930,
330
]
}
],
“connections”: {}
}

ERROR: str.replace is not a function
TypeError: str.replace is not a function
at Querystring.rfc3986 (/usr/local/lib/node_modules/n8n/node_modules/request/lib/querystring.js:43:14)
at Request.json (/usr/local/lib/node_modules/n8n/node_modules/request/request.js:1287:30)
at Request.init (/usr/local/lib/node_modules/n8n/node_modules/request/request.js:406:10)
at Request.RP$initInterceptor [as init] (/usr/local/lib/node_modules/n8n/node_modules/request-promise-core/configure/request2.js:45:29)
at new Request (/usr/local/lib/node_modules/n8n/node_modules/request/request.js:127:8)
at Object.request (/usr/local/lib/node_modules/n8n/node_modules/request/index.js:53:10)
at Object.execute (/usr/local/lib/node_modules/n8n/node_modules/n8n-nodes-base/dist/nodes/HttpRequest.node.js:752:51)
at Workflow.runNode (/usr/local/lib/node_modules/n8n/node_modules/n8n-workflow/dist/src/Workflow.js:583:37)
at /usr/local/lib/node_modules/n8n/node_modules/n8n-core/dist/src/WorkflowExecute.js:369:62
at /usr/local/lib/node_modules/n8n/node_modules/n8n-core/dist/src/WorkflowExecute.js:447:15

Without the content-type value it returned ERROR 415 - Unsupported Media Type which indicates content-type is required.

engowen · August 18, 2020, 8:24pm

Managed to decode the token and noticed on other application that works, including postman the aud value is the resource ID.

But in the token requested via n8n the aud is a URL because it couldn’t specified resource header.

Is it possible to enhance the OAuth2 Credential to support add header like HTTPRequest as OAuth URI Query Parameter doesn’t seems to pass the resource value.

engowen · August 18, 2020, 11:08pm

Finally got it working. I’d ditched the Identityserver3 with another IdP solution. Using a custom connector for PowerBI that uses Authorization_Code flow, I managed to analyse the traffic via Fiddler by decrypting the https request. I’d to append the resource ID in scope and as a header parameter.

In the end I got it working time to build a proper workflow.

RicardoE105 · August 18, 2020, 11:46pm

@engowen really cool you got it working. Have fun. Let us know if you have any other questions.