Started getting "invalid_client" error today using password grant

  • 2
  • Question
  • Updated 15 hours ago
I have a very basic, intranet page we use to give employees access to documents we've uploaded. It's been working very well up until today using the password grant authentication method, but now suddenly I started getting back the following in response to any request I make:

{
    "error": "invalid_client",
    "error_description": "client_id or client_secret is invalid"
}

I've checked on the api.sharefile.com account and the api keys are still in place and the values haven't changed for client id or client secret. Anybody else having similar issues? Any help would be appreciated.
Photo of Jeff Caldwell

Jeff Caldwell

  • 4 Posts
  • 1 Reply Like

Posted 10 months ago

  • 2
Photo of Dale Smith

Dale Smith, Software Engineer

  • 205 Posts
  • 33 Reply Likes
Hi Jeff, 

Would you please upload a text file to:
https://citrix.sharefile.com/r-r119d7580ad147358

with the client id and the subdomain and email address you are using for the password grant and we can take a look.

Thanks,
Dale Smith
Photo of Jeff Caldwell

Jeff Caldwell

  • 4 Posts
  • 1 Reply Like
Done. Thanks Dale.
Photo of Dale Smith

Dale Smith, Software Engineer

  • 205 Posts
  • 33 Reply Likes
Hi Jeff,

So I looked up your oauth client and your user, and everything appears okay. I also used your oauth client to do a password grant for my ShareFile Account and was able to receive a token. Are you still having the issue? If so, have you run a fiddler or other network trace to verify that your code is sending the values you expect? Are you using one of our SDKs to make the call, or have you constructed code to do the call for you?

Dale
Photo of Jeff Caldwell

Jeff Caldwell

  • 4 Posts
  • 1 Reply Like
Thanks Dale,

Really appreciate you looking into it. Well, after my code started failing I actually plugged values into Postman to see if I could get a good response and I got the same thing as my code. The strange thing is that this all worked for several months and then just stopped late last week. I'll upload a screenshot of my Postman call to your sharefile link above.
Photo of Dale Smith

Dale Smith, Software Engineer

  • 205 Posts
  • 33 Reply Likes
Hi Jeff,

Thanks for sharing the screenshot. I see the issue, but i'm unsure what would have caused it to work before and all of a sudden break. When calling the /oauth/token endpoint, if you are putting in the information via form data, then the verb you want to use is a POST. We do support GET's to that endpoint, but the data would be in the query string. Our overall stance however is to always use POST with either form-data or x-www-form-urlencoded as the request content type due to the sensitive nature of the data being passed (client secret and password). Could you try making that change and see if your call succeeds?

Thanks,
Dale 
Photo of Jeff Caldwell

Jeff Caldwell

  • 4 Posts
  • 1 Reply Like
Hey Dale,

Turns out I had some other issues going on on my dev server making this a lot harder (like my JRE not liking the sharefile cert). Anyway, I was actually using a POST on the code I was testing, but had other issues as well. Once I got Postman going I quickly figured out where my issue was. I'm back in business now.

Thanks for your help!

Jeff
Photo of Chris Mathews

Chris Mathews

  • 1 Post
  • 0 Reply Likes
I'm having the same issue, receiving:
{
    "error": "invalid_client",
    "error_description": "client_id or client_secret is invalid"
}

I'm posting this url: https://subdomain.sharefile.com/oauth/token?grant_type=password&client_id=[client]&client_se...

any ideas on why the failure?
Photo of Jim .

Jim .

  • 2 Posts
  • 1 Reply Like
@Chris Mathews
I'm having the same issue. It just started about 2 days ago.
Photo of Jim .

Jim .

  • 2 Posts
  • 1 Reply Like
I was able to fix my issue by adding going into settings and adding an Application Specific Password.

In the account settings under 2 Step Verification there is a section that says "Some ShareFile applications that run outside a browser are not compatible with Two-Step Verification, and you will need to create a separate password."
Photo of c johnstone

c johnstone

  • 2 Posts
  • 0 Reply Likes
Also having the same error. Invalid client_id. Now getting a server error from sharefile. Used postman to verify
Photo of c johnstone

c johnstone

  • 2 Posts
  • 0 Reply Likes
Update: on friday, I was able to get a hold of a tech at Citrix named John who informed me this was due to the MFA they were rolling out. If you use this type of grant in your app, you need to disable MFA completely on the account. Sadly, Citrix won't publicly acknowledge the issue and you have to call or dig through these forums. 
Photo of Dale Smith

Dale Smith, Software Engineer

  • 195 Posts
  • 31 Reply Likes
Hi c johnstone,

If you use the password grant type in your application, you do not need to disable MFA. Instead the user logging in will need to go into their MFA settings in web app and generate an application specific code. You would then use that application specific code instead of the password. 

Thanks,
Dale
Photo of James

James

  • 20 Posts
  • 1 Reply Like
Hi Dale

I'm also having the same issue.  I have created an application specific password/code and used it my call.  Can I send you a screenshot of my Postman test for you to have a look at?

Further to the above:

Using the V3 API:

With 2FA OFF password grant works with the users 'normal' password.
With 2FA ON password grant causes the following error when using the 'application specific' password:

400 Bad Request
{
    "error": "invalid_client",
    "error_description": "client_id or client_secret is invalid"

}

Using the V1 API:

With 2FA OFF password grant works using the users 'normal' password.
With 2FA ON password grant works using the 'application specific' password.

Any help would be greatly appreciated

Regards

James
(Edited)
Photo of Dale Smith

Dale Smith, Software Engineer

  • 204 Posts
  • 32 Reply Likes
Sure James,

Feel free to upload any relevant info here: https://citrix.sharefile.com/r-re1b128cece942158 and I'll take a look.

Dale
Photo of James

James

  • 20 Posts
  • 1 Reply Like
Thanks Dale.  I've uploaded a screenshot.  The Client Id and Secret are valid as I've used them to test the other scenarios outlined above.  If there is any other information you require please let me know.
Photo of Dale Smith

Dale Smith, Software Engineer

  • 204 Posts
  • 32 Reply Likes
Hi James,

Took a look at your screen short. As far as your call with POSTman, you are using a POST, but you have put the properties in the query string. When you are using POST, the properties must be in the body with x-www-formurlencoded.

I'm guessing however that is not your issue in your application. So if you do the above and are still receiving an error, please upload any new information to help.

Thanks,
Dale
Photo of James

James

  • 20 Posts
  • 1 Reply Like
Hi Dale, thanks for that. 

I've changed the POSTman call and put the values in the body but I'm still getting an error although it has changed to 'invalid username or password'.  Again I know these values are correct.  I have put 2 further screen shots in the link above, one of POSTman and one from the POSTman console.

Regards

James
Photo of Dale Smith

Dale Smith, Software Engineer

  • 204 Posts
  • 32 Reply Likes
Hi James,

I think I see what happened. When you use an app specific code for the first time, it actually ties its usage to that particular application (somewhat at least). When you log in via V1 api endpoints, an application isn't really tracked since it wasn't OAuth based. Because of that, the app specific code, gets tied to a generic application. When you then try to execute the oauth password grant login, it compares your application against that generic application and says it doesn't match and then it rejects the app specific code. If you generate a new app specific code and first use it against the oauth password grant login, it should work correctly.

Dale Smith