Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid grant on hcp auth login #139

Open
andrewbaxter opened this issue Aug 2, 2024 · 3 comments
Open

Invalid grant on hcp auth login #139

andrewbaxter opened this issue Aug 2, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@andrewbaxter
Copy link

andrewbaxter commented Aug 2, 2024
edited
Loading

I just installed hcp manually (arch, no package). I've never used it before on this machine.

I ran

hcp auth login

it opened the wrong browser, so I copied the URL and pasted it into the right browser. I'm already logged in but it shows me a blank login page. I press the Sign in with Github button and now it opens a page that says "Login is not successful. You may close the browser and try again." (url http://localhost:8443/oidc/callback?error=request_forbidden&error_description=The+request+is+not+allowed.+No+CSRF+value+available+in+the+session+cookie.&state=...). The terminal shows:

ERROR: unable to login to HCP: failed to get new token: failed to exchange code for token: oauth2: "invalid_grant" "The
provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid,
expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another
client."

I note that when it opens a browser it also prints a url to the terminal:

The default web browser has been opened at https://auth.idp.hashicorp.com/oauth2/auth. Please continue the login in the web browser.

however this URL is not usable (missing required parameters).

There doesn't appear to be a --no-browser flag.
@dadgar
Copy link
Collaborator

dadgar commented Aug 5, 2024

@andrewbaxter Thanks for filling this issue, we will investigate and update this issue with any update.

@dadgar dadgar added the bug Something isn't working label Aug 5, 2024
@ohm
Copy link

ohm commented Aug 7, 2024

@andrewbaxter What's happening is that hcp generates a dynamic URL and opens it in the browser1. At the same time it prints the static base URL to the console. Copying either the static URL from the console or any URL from the browser window that isn't the initial URL will result in the error you're seeing, because the browser has likely already followed a redirect.

The auth flow needs to be initiated via the first URL or it won't work. Configuring your system to open the expected browser by default will fix your issue.

@dadgar we should probably update the CLI output to print the generated URL to make it less confusing. wdyt?

Footnotes

  1. https://github.com/hashicorp/hcp-sdk-go/blob/a41523ce2f0f348f6d0eec9911ff7d08f1674570/auth/browser.go#L51

@andrewbaxter
Copy link
Author

Thanks! Yeah, printing out the original URL as a backup would be great. AFAIK that's what azure, gcp etc do for their CLIs with interactive login.

In my case configuring the default browser won't work - I use multiple browsers for different tasks, testing, etc and even within firefox I'm using multi account containers with (this) hcp account in a work specific one.

@ohm ohm mentioned this issue Aug 20, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ohm @andrewbaxter @dadgar