Failed to provide user info: Request failed with status code 403

[busla]

I want to start by saying, thanks for sharing!

So here is my issue.

Cognito is getting a 403 on the /userinfo endpoint so I am assuming the Bearer token is invalid for some reason. Is this a common misconfiguration issue maybe on my part?

The state attribute is also undefined there but since the state is optional I think that's ok.

Here are the relevant debug logs with sensitive values <retracted>.

edit

I think this is also relevant, and is weird since I'm getting the sub from Github in the claim.

error_description=username+attribute+mapping+required&error=invalid_request

Also Ngrok is returing 400 back to the Cognito client but that's probably because the wrapper doesn't resolve correctly because of the 403.

debug: Signing payload {"iss":"https://<retracted>","aud":"<retracted>"}
debug: Resolved token response: {"access_token":"<retracted>","expires_in":28800,"refresh_token":"<retracted>"}
debug: Token for (<retracted>, undefined, <retracted>) provided
info: Providing access to JWKS: {"keys":[{"alg":"RS256","kid":"jwtRS256","kty":"RSA","n":"<retracted>","e":"AQAB"}]}
error: Failed to provide user info: Request failed with status code 403
debug: Checking response: [Circular]
debug: Fetched user details: {"login":"<retracted>","id":<retracted>,"node_id":"<retracted>","avatar_url":"<retracted>","gravatar_id":"","url":"https://api.github.com/users/<retracted>","html_url":"https://github.com/<retracted>","followers_url":"https://api.github.com/users/<retracted>/followers","following_url":"https://api.github.com/users/<retracted>/following{/other_user}","gists_url":"https://api.github.com/users/<retracted>/gists{/gist_id}","starred_url":"https://api.github.com/users/<retracted>/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/<retracted>/subscriptions","organizations_url":"https://api.github.com/users/<retracted>/orgs","repos_url":"https://api.github.com/users/<retracted>/repos","events_url":"https://api.github.com/users/<retracted>/events{/privacy}","received_events_url":"https://api.github.com/users/<retracted>/received_events","type":"User","site_admin":false,"name":"<retracted>","company":"<retracted> <retracted> ","blog":"http://github.com/<retracted>","location":"<retracted>","email":"<retracted>","hireable":true,"bio":null,"twitter_username":"<retracted>","public_repos":77,"public_gists":12,"followers":12,"following":17,"created_at":"2013-01-01T10:44:40Z","updated_at":"2021-02-07T21:49:19Z"}
debug: Resolved claims: {"sub":"<retracted>","name":"<retracted>","preferred_username":"<retracted>","profile":"https://github.com/<retracted>","picture":"https://avatars.githubusercontent.com/u/<retracted>?v=4","website":"http://github.com/<retracted>","updated_at":1612734559}
error: Failed to provide user info: Request failed with status code 403
debug: Checking response: [Circular]
debug: Fetched user details: {"login":"<retracted>","id":<retracted>,"node_id":"<retracted>","avatar_url":"https://avatars.githubusercontent.com/u/<retracted>?v=4","gravatar_id":"","url":"https://api.github.com/users/<retracted>","html_url":"https://github.com/<retracted>","followers_url":"https://api.github.com/users/<retracted>/followers","following_url":"https://api.github.com/users/<retracted>/following{/other_user}","gists_url":"https://api.github.com/users/<retracted>/gists{/gist_id}","starred_url":"https://api.github.com/users/<retracted>/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/<retracted>/subscriptions","organizations_url":"https://api.github.com/users/<retracted>/orgs","repos_url":"https://api.github.com/users/<retracted>/repos","events_url":"https://api.github.com/users/<retracted>/events{/privacy}","received_events_url":"https://api.github.com/users/<retracted>/received_events","type":"User","site_admin":false,"name":"Jón Levy","company":"@ruv-ohf @andesorg ","blog":"http://github.com/<retracted>","location":"<retracted>","email":"<retracted>","hireable":true,"bio":null,"twitter_username":"<retracted>","public_repos":77,"public_gists":12,"followers":12,"following":17,"created_at":"2013-01-01T10:44:40Z","updated_at":"2021-02-07T21:49:19Z"}
debug: Resolved claims: {"sub":"<retracted>","name":"<retracted>","preferred_username":"<retracted>","profile":"https://github.com/<retracted>","picture":"https://avatars.githubusercontent.com/u/<retracted>?v=4","website":"http://github.com/<retracted>","updated_at":1612734559}

[TimothyJones]

Hmm. I’m on mobile at the moment, so I’ll have to take a look when I am at my desk later.

It looks like we can improve the debug logs- it’s not clear where that error is coming from. It looks like the user information is being received correctly, though.

[TimothyJones]

Looks like it’s the get user emails call that is failing.

[busla]

ahh ok, thanks for looking at this so quickly (also on mobile).

I will take another debug session today with improved logging and maybe extend Winston formatting also.

[busla]

Ok, took a look at this and you're right, it's the email GET and logging can also be improved a bit 😄 although I like the abstraction!

I added a naive error handler to log all error from axios to pick up the response from Github

And this is the Github response:

Naive error handler

https://github.com/island-is/github-cognito-openid-wrapper/blob/fix/logging/src/github.js#L21-L32

Edit 01

🤦🏼 don't tell me I have to install the app also and set permissions.

Edit 02
Ok, I'll show myself out 😄 this issue can be closed.

[TimothyJones]

Glad it was an easy fix! Do the setup instructions need to be updated?

If you have time for a PR that puts debug logging around the github request / responses, I would happily accept it.

[busla]

Yup, I will update the README and continue with improving the logging here
#47