K
Kinde4mo ago
Kenneth

Changing API settings takes an incredibly long time

When updating authorized applications for an API it takes a really long time untill these changes are reflected when requesting access tokens, both for M2M tokens and user tokens. When adding a new API and adding a new authorized application, I can't seem to request tokens for this audience for several hours after making the changes in the Kinde Admin portal. The Kinde API also shows the API is active for said application (Identifiers redacted) 
GET https://<environmentUri>.eu.kinde.com/api/v1/apis/***
{
    "api": {
        "id": "****",
        "name": "MyApiName",
        "audience": "MyApiAudience",
        "applications": [
            {
                "id": "****",
                "name": "MyWebApp",
                "type": "Front-end and mobile",
                "is_active": true
            }
        ],
        "is_management_api": false
    },
    "code": "OK",
    "message": "Success"
}
GET https://<environmentUri>.eu.kinde.com/api/v1/apis/***
{
    "api": {
        "id": "****",
        "name": "MyApiName",
        "audience": "MyApiAudience",
        "applications": [
            {
                "id": "****",
                "name": "MyWebApp",
                "type": "Front-end and mobile",
                "is_active": true
            }
        ],
        "is_management_api": false
    },
    "code": "OK",
    "message": "Success"
}
Although the API says it is active, token requests keep giving the same error for quite a few hours, until it resolves itself automagically. 
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience '*****' has not been whitelisted by the OAuth 2.0 Client."}
{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Requested audience '*****' has not been whitelisted by the OAuth 2.0 Client."}
Also when revoking access to an API/Audience or deleting an API completely, the application can still request M2M tokens for several hours after it has been revoked. Do you have any explanation, since this is quite the hurdle in developing new applications in our suite and for authorizing/revoking API access on production systems.
20 Replies
Oli - Kinde
Oli - Kinde4mo ago
Hey @HayleySky, It definitely should not take several hours for you to request tokens for this audience of the API/applications you authorized. Do you authorize an application/API via the Kinde Admin or Kinde Management API? I want to replicate your issue but I need to know how you experienced this issue.
Kenneth
Kenneth4mo ago
@Oli - Kinde I’ve been exclusively adding/deleting/authorizing the APIs via the Kinde admin portal @Oli - Kinde Since yesterday evening, about 9 hours later, the same issue is still occuring. Also when authorizing an application/API via the Kinde Management API the same issue occurs.
Oli - Kinde
Oli - Kinde4mo ago
Hey @Kenneth, Would you be able to record what actions you are doing in the Kinde Admin portal so I can try reproduce this myself. You can DM me the recording if you prefer. I will speak to my team on this issue on Monday. Apologies for the inconvenience
Kenneth
Kenneth4mo ago
@Oli - Kinde I've DMed you a recording, I will reach out again on Monday to see if there are any updates, thanks!
Oli - Kinde
Oli - Kinde4mo ago
Hey @Kenneth, I couldnt see a DM with a recording. Are you able to send it again?
Kenneth
Kenneth4mo ago
Hi @Oli - Kinde Did you not receive any direct messages I've sent?
No description
Kenneth
Kenneth4mo ago
@Oli - Kinde I just checked again to see if the API/application authorization would have come through and now after approximately 36 hours the changes are finally reflected in the authentication layer, not sure what exactly is happening here that's causing such delays.
Oli - Kinde
Oli - Kinde4mo ago
Hi @Kenneth, I can now see the videos you sent to me in a DM now. I will look into your issue with my team tomorrow.
viv (kinde)
viv (kinde)4mo ago
Hey @Kenneth - would you mind trying to get a new access token after updating any information and using that on the API endpoint you're hitting? On postman, it'd be on the auth tab - getting a new access token should include the updated information. Otherwise, it could potentially be cached causing you to see delays in reflecting the latest changes so clearing any would resolve it if so. Let us know if any of these solutions help fix that up? Thanks!
Kenneth
Kenneth4mo ago
@viv (kinde) the problem is that I'm unable to to request an access token for an API/audience after it has been granted access via the Kinde API or the admin portal. I'm unable to request an access token in the first place due to the audience not being "known" by the authentication layer somehow.
viv (kinde)
viv (kinde)4mo ago
ahh gotcha - I had a look in the logs and I'm not seeing anything pointing to that err, nor was I able to replicate the delay on my app, would you be able to invite [email protected] to your business as a team member so I can take a look from there? Thank you!
Kenneth
Kenneth4mo ago
It's strange, since I have de-authorized an application for an API and I'm still able to request M2M access tokens, hours later. I will check internally if we can do this. @viv (kinde) I've dmed you the details.
viv (kinde)
viv (kinde)4mo ago
sweet, received - thank you, I'll take a look!
viv (kinde)
viv (kinde)4mo ago
Hey @Kenneth - would you mind giving it a try sending the value in the access token URL? ie https://kennethdev.kinde.com/oauth2/token?audience=SignalRAPI rather than the request body - might be a weird bug, but this seems to be working for me in Postman (https://www.loom.com/share/4a61aabcede140f08b4d2127ff9fd3ea) - I'll check if anyone knows why this might be happening. Thanks!
Loom
Finder - Applications - 10 July 2024
Kenneth
Kenneth4mo ago
Alright the request seems to succeed, because no audience is requested at all with this approach. When you check https://jwt.io with such generated token you will see there is no value present in the aud claim :/ @viv (kinde)
Kenneth
Kenneth4mo ago
No description
Kenneth
Kenneth4mo ago
So sadly this does not solve the issue because we are trying to request an access token with the aud claim being ["SignalRAPI"] in this case. Is there any other information I can provide for further troubleshooting?
viv (kinde)
viv (kinde)4mo ago
thanks for sending that over - it may be a caching issue on our side, we're looking into it & will keep you posted 🙂 hey @Kenneth - it was a problem with caching - there's a change currently in review to fix this up (should be merged and deployed soon) hey @Kenneth - just deployed, you will need to hit save again to get it working let me know if you run into any further issues with that
Kenneth
Kenneth4mo ago
@viv (kinde) Everything seems to be working smoothly now, changes in API/Application configuration in the Kinde admin portal are now reflected instantly again in the authentication layer. Thank you and thank you @Oli - Kinde for troubleshooting this issue and resolving it this quickly, much appreciated!
Oli - Kinde
Oli - Kinde4mo ago
Our pleasure. Please don't hesitate to reach out if you come across any other issues.
Want results from more Discord servers?
Add your server