Unable to authenticate the OAuth in freshsales production

Vignesh-Agiratech · October 6, 2022, 8:20am

When we tried oauth authenticate from an external application(surveymonkey) got an error like invalid state and we used the OAuth Redirect URL: https://oauth.freshdev.io/auth/callback. Here attached the screenshot for your reference

Saif · October 6, 2022, 9:18am

@Vignesh-Agiratech

When you are authenticating it in local, can you share the logs?

See how fdk.log helps in troubleshooting

Copy specific section of logs using Debug Mode

Share browser logs if you think those can help.

Vignesh-Agiratech · October 11, 2022, 5:43am

In local also we got same error like invalid state. Here i have attached screenshots and browser log file for your reference

localhost.har (11.7 KB)

Saif · October 11, 2022, 6:50am

Are you using agent-level OAuth or admin-level OAuth?

Vignesh-Agiratech · October 11, 2022, 6:53am

We tried in admin-level OAuth.

Saif · October 12, 2022, 8:51am

It appears like there’s a problem with following the protocol in token exchange process.

Can you share the fdk.log file in your local, it will present the logs of what happens in the communication between the app and surveymonkey?

Also please share the OAuth documentation of Survey Monkey.

Vignesh-Agiratech · October 12, 2022, 9:46am

FYR
https://developer.surveymonkey.com/api/v3/?ut_source=header#oauth-2.0-flow
fdk.log (42.2 KB)

Vignesh-Agiratech · October 17, 2022, 6:56am

@Saif any update on issues?

Saif · October 18, 2022, 8:44am

This involves internal details to reproduce the issue. I’ve put you in touchh with the support team to take this conversation forward and further discuss it with an engineer.

ghsatpute · October 20, 2022, 7:41am

@Vignesh-Agiratech
Can you check if the state value is present in the callback URL?

We need that parameter. More information can be seen here.

Vignesh-Agiratech · October 25, 2022, 7:01am

Where we can send the state parameter and state value. Can you explain about state

ghsatpute_freshworks · October 27, 2022, 6:54am

Hi Vignesh,

The OAuth provider will send this parameter. Can you check the callback URL and see if the state parameter is present in it?

Vignesh-Agiratech · November 15, 2022, 6:55am

Hi Ganesh,

Below shared the surveymonkey api team reply for your reference.

If you wish to use the state parameter with the OAuth flow, you will need to generate and verify the state parameter value using your client app. Also you will need to host the OAuth install URL on your site. When submitting the app for listing on our App Directory, you can specify a link to direct users to the OAuth install URL on your site.

Here where i can generate and pass the state parameter in oauth flow?

ghsatpute_freshworks · November 15, 2022, 1:17pm

@Vignesh-Agiratech
When you’re trying OAuth, once the redirection happens after successful login, can you check if the state parameter is present in the URL?

Vignesh-Agiratech · November 21, 2022, 11:09am

@ghsatpute_freshworks

Even if the state parameters are present in the Oauth url the same error only got. below mentioned the Oauth url for your refernce

https://api.surveymonkey.com/oauth/authorize?response_type=code&client_id=USupYW2JQu-EDTkDYtsSEg&redirect_uri=https://oauth.freshdev.io/auth/callback&state=ePKrhgywbW3tUbhRLm1RDA50

Vignesh-Agiratech · December 6, 2022, 11:07am

Below shared the surveymonkey team response for your reference.

When you click on the test Oauth flow, SurveyMonkey dose not add a state parameter. If you want to use the state parameter with your app’s OAuth flow you will need to add the state parameter to the install URL.

If you are using a unique state parameter value for each OAuth install, your client app will need to generate parameter value and verify it.

There is no way to dynamically update parameter values in install URLs hosted on our App Directory so you will need to host the OAuth install ULR on a site you control. Your app listing on our App Directory will direct users to your site to install the app.

Raviraj · December 8, 2022, 6:44am

@Vignesh-Agiratech Thanks for the explanation with a demo of this issue for us over an Office hour call.

Here’s the summary after our meeting:
Problem statement:

SurveyMonkey integration app with OAuth works fine as a custom app.
It has also been submitted and approved on our Freshworks Marketplace earlier.
Only the approval for the integration app in the SurveyMonkey Marketplace is pending, and the OAuth flow is failing with the “invalid state” error when the OAuth handshake flow is tested from the SurveyMonkey console.
When the the OAuth flow testing is initiated from SurveyMonkey console, the callback URL with authorisation code doesn’t have a “state” parameter along.
Only if the app installation is initiated from the Freshworks app the authorisation request will have the “state” parameter with a unique value generated. Freshworks platform expects the same state returned in the authorisation code response parameter as well.

Possible solution:

Since the Freshworks platform expects the state parameter, we cannot do any arrangement to ignore it for custom test flows.
For testing to approve the app in SurveyMonkey Marketplace, the SurveyMonkey platform can redirect the user-agent to the Freshworks app gallery to install the app, and the OAuth handshake will succeed.
We can do arrangements for this flow. The app is already approved on our gallery, and it should work for the testing flow as well.