question

Upvotes
Accepted
Nick.Straatsma avatar image
1 1 2 4

Error connecting to AAA STS for RDP access - username correct but suspecting URL migration from TR to Refinitiv is the cause

Hi

We are integrating with AAA retrieving the STS token for access to RDP streaming pricing. Until recently we have been successfully authenticating from the existing Thomson Reuters URL https://sts.login.cp.thomsonreuters.net/

Two weeks ago we tried to connect a new users on production with AAA. However when they use the above URL they get an error

2021-08-05 13:12:17.970 DEBUG SerializableWebMessageBase: {"BaseUri":https://sts.login.cp.thomsonreuters.net/,"ClientId":"*******","ClientSecret":"*****","RequestID":"1","HttpStatus":200,"UseJsonSerialization":true} Subject: SerializableAAAClient

2021-08-05 13:12:20.681 DEBUG {"error": "access_denied", "error_description": "Invalid username or password."}

We have tested the same credentials on:

- User's Eikon login = successful

- RDP playground = successful

We think this maybe due to the migration in domains. Is that correct? Could there be another cause for the failure to login and receive the STS token?

If the issue is the Domain, could someone confirm the correct URL is identity.ciam.refinitiv.net and when was this change expected to be made?


Thank you,

Nick

rdp-apirefinitiv-data-platform
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Alex Putkov.1 avatar image   Alex Putkov.1

@Nick.Straatsma

Thank you for your participation in the forum. Are any of the replies below satisfactory in resolving your query? If yes please click the 'Accept' text next to the reply that best answers your question. This will guide all community members who have a similar question. Otherwise please post again offering further insight into your question.

Thanks,

-AHS

wasin.w avatar image   wasin.w

Please be informed that a reply has been verified as correct in answering the question, and has been marked as such.

Thanks,


AHS

1 Answer

· Write an Answer
Upvotes
Accepted
Gurpreet avatar image
22k 58 14 21

Hi @Nick.Straatsma ,

The OAuth token URL has been: https://api.refinitiv.com:443/auth/oauth2/v1/token for a long time now. Can you try this endpoint.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Nick.Straatsma avatar image Nick.Straatsma

Hi @Gurpreet

Thanks very much for the answer. This helped and we also discovered that some of the problem was our TLS version and using JSON instead of URL encoded message body. Here is summary and open questions.

Doing this fixed/enabled us to connect:

Questions

  • Is there documentation for the URL migrations and supported connection types?
  • Do you expect PKCE to work on the new URLs? Attached is a code snippet. We don't get especially verbose responses on failure.
1628694184272.png (501.2 KiB)
Gurpreet avatar image Gurpreet Nick.Straatsma
Hi @Nick.Straatsma ,

I would recommend that you directly get in touch with STS gateway team to get details for which endpoints will support PKCE.


Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.