Getting {"error":"access_denied"} when trying to get access token

adomm
adomm Newcomer
in WebSocket API

Here is the part of code that calls the endpoint (to get a glimpse of headers, method etc.):


Unirest.setTimeouts(0, 0);

HttpResponse<String> response = Unirest.post("https://api.refinitiv.com:443/auth/oauth2/v1/token")

.header("Content-Type", "application/x-www-form-urlencoded")

.field("grant_type", "password")

.field("username", "***************")

.field("password", "***************")

.field("takeExclusiveSignOnControl", "True")

.field("scope", "trapi")

.field("client_id", "********************")

.asString();


Here’s what I get from server:

Response body:
{"error":"access_denied" }


HTTP status: 400

Headers:

Date Tue, 30 Jun 2020 14:24:59 GMT

Content-Type application/json

Content-Length 29

Connection keep-alive

X-Amzn-Trace-Id Root=1-5efb4b3b-4a278e16d28720ec9826d572

X-Served-By region=eu-west-1; cid=9b0a08d5-13b9-4b70-bc36-90e6c60e0089

X-Tr-Requestid 52ddba1d-31a4-4b9f-bc55-30d1834d5c81


Credentials are ok, because if I change them to the wrong ones - I get different message.

I've tried sending request with Postman, Refinitiv provided Python script: https://raw.githubusercontent.com/Refinitiv/websocket-api/master/Applications/Examples/EDP/python/market_price_edpgw_service_discovery.py

Result is totally same.

Tagged:

Best Answer

  • wasin.w
    wasin.w admin
    Answer ✓

    The ERT in Cloud team has verify the issue and found the root cause. The issue comes from corrupted DNS cache in the network level. The issue is now resolved.

Answers

  • Gurpreet
    Gurpreet admin

    Hi @adomm, Have you generated the AppKey and using that parameter in the client ID. Please see this step-by-step quick start guide. If you are still getting access denied message, it would imply that your credentials are incorrect. Please contact you Refinitiv account manager in that case.

  • adomm
    adomm Newcomer

    Thank you for answer Gurpeet. Forgot to mention that code worked successfully before for quite a while and it stopped working just out of the blue. And yes, I did follow Quick start and yes, I generated AppKey and used as client id.
    Password doesn't seem to be a problem as if I actually change the password to the wrong one - I get a different message.
    I'm in contact with support and no one has a slightest clue what's going on.

  • Gurpreet
    Gurpreet admin

    What is the message when wrong password is used. Could you post complete return messages.

    Here is what I get on wrong username/password:

    HTTP 400:
    {"error":"access_denied"  ,"error_description":"Invalid username or password." }

    And on incorrect client ID:

    HTTP 401:
    {"error":"invalid_client"  ,"error_description":"Invalid Application Credential." }


  • adomm
    adomm Newcomer

    When wrong password is used I get HTTP status 400 and Body: {'error': 'access_denied', 'error_description': 'Invalid username or password.'}

    When password is right I get just: {"error":"access_denied" }

    If needed - I can provide X-Amzn-Trace-Id, X-Served-By and X-Tr-Requestid header values which might help debugging, I guess.



  • Gurpreet
    Gurpreet admin

    Please take it up with your account manager. Thanks.

  • erol.komac1
    erol.komac1 LSEG

    Hi @Gurpreet

    Can you please investigate the bold/italic part above with development? This is the point where things go wrong on Adomas environment.

    I have used his credentials and get the following.

    * Connection state changed (MAX_CONCURRENT_STREAMS updated)!


    Regards,

    Erol



    Note: Unnecessary use of -X or --request, POST is already inferred.2JmZDY0NmY4NGE1MGE2MjJlMzYyNDRlYW

    * Trying 52.19.116.133:443...

    * TCP_NODELAY set

    * Connected to api.refinitiv.com (52.19.116.133) port 443 (#0)

    * ALPN, offering h2

    * ALPN, offering http/1.1

    * successfully set certificate verify locations:

    * CAfile: /etc/ssl/certs/ca-certificates.crt

    CApath: /etc/ssl/certs

    * TLSv1.3 (OUT), TLS handshake, Client hello (1):

    * TLSv1.3 (IN), TLS handshake, Server hello (2):

    * TLSv1.2 (IN), TLS handshake, Certificate (11):

    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):

    * TLSv1.2 (IN), TLS handshake, Server finished (14):

    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

    * TLSv1.2 (OUT), TLS handshake, Finished (20):

    * TLSv1.2 (IN), TLS handshake, Finished (20):

    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

    * ALPN, server accepted to use h2

    * Server certificate:

    * subject: C=US; postalCode=10036; ST=New York; L=New York; street=3 Times Square; O=REFINITIV US LLC; OU=RDP; CN=api.refinitiv.com

    * start date: May 29 00:00:00 2020 GMT

    * expire date: May 29 23:59:59 2021 GMT

    * subjectAltName: host "api.refinitiv.com" matched cert's "api.refinitiv.com"

    * issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Organization Validation Secure Server CA

    * SSL certificate verify ok.

    * Using HTTP2, server supports multi-use

    * Connection state changed (HTTP/2 confirmed)

    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0

    * Using Stream ID: 1 (easy handle 0x564ee25fddb0)

    > POST /auth/oauth2/v1/token HTTP/2

    > Host: api.refinitiv.com

    > user-agent: curl/7.68.0

    > accept: application/json

    > content-type: application/x-www-form-urlencoded

    > authorization: Basic MDA1N2JmZDY0NmY4NGE1MGE2MjJlMzYyNDRlYWIzMWM2ZGI4NjQ1ODo=

    > content-length: 188

    >

    * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!

    * We are completely uploaded and fine

    < HTTP/2 400

    < date: Thu, 02 Jul 2020 13:16:30 GMT

    < content-type: application/json

    < content-length: 29

    < x-amzn-trace-id: Root=1-5efdde2d-6a3384aa010ef27c7d3289cc

    < x-served-by: region=eu-west-1; cid=7936fa55-77dc-4fa7-a9f8-80bc66a20408

    < x-tr-requestid: 8f714e38-d958-4a68-a128-6535002deab2

    <

    * Connection #0 to host api.refinitiv.com left intact

    {"error":"access_denied" }



  • Gurpreet
    Gurpreet admin
    https://community.developers.refinitiv.com/discussion/comment/62564#Comment_62564

    Hi Erol, We can provide technical API support, but don't have any visibility into product deployment. It is best to raise a service ticket at my.refinitiv.com for product team to look into the issue.

Categories