Closed Bug 1092080 Opened 10 years ago Closed 10 years ago

Can't sign into Firefox Accounts - Invalid Token

Categories

(Cloud Services :: Operations: Miscellaneous, task)

Product:
Cloud Services
Component:
Operations: Miscellaneous
Type:
task
Priority:
Not set
Severity:
blocker

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: standard8, Unassigned)

References

Details

(Whiteboard: [qa+]) 

We're unable to log into Firefox accounts via Loop or Sync using the latest nightly or beta.

When attempting to do so, the following message is returned:

{"code":401,"errno":110,"error":"Unauthorized","message":"Invalid authentication token in request signature","info":"https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md#response-format"}

This is happened on at least endpoints:

POST https://api.accounts.firefox.com/v1/certificate/sign
GET https://api.accounts.firefox.com/v1/recovery_email/status

STR:

1) Set up a new profile on Firefox Nightly or Firefox Beta
2) If on Beta, move the Hello button out of the customise options onto the toolbar
3) Open the Hello panel
4) Select "Sign in or sign up"
5) Enter the username and password on the tab that appears

Expected Results

- You get logged in

Actual Result

- It displays "Invalid Token"

The responses are as above.

Using profiles that have already been signed into the FxA server seem to work fine.

I've also reproduced this on a sync login.
We are seeing another 410 110 response (never seen before). It might be related.

E/GeckoConsole( 2206): Content JS LOG at app://loop.services.mozilla.com/js/helpers/client_request_helper.js:95 in _request/req.onload: ERROR 401: {"code":401,"errno":110,"error":"Malformed audience"}
(In reply to José Antonio Olivera Ortega [:jaoo] from comment #1)
> We are seeing another 410 110 response (never seen before). It might be
> related.
> 
> E/GeckoConsole( 2206): Content JS LOG at
> app://loop.services.mozilla.com/js/helpers/client_request_helper.js:95 in
> _request/req.onload: ERROR 401: {"code":401,"errno":110,"error":"Malformed
> audience"}

We are sending the right audience:

E/GeckoConsole( 1761): Content JS LOG at app://loop.services.mozilla.com/js/utils.js:145 in u_parseClaimAssertion: Payload assertion {"exp":2203149669034,"aud":"app://loop.services.mozilla.com"}
(In reply to José Antonio Olivera Ortega [:jaoo] from comment #1)
> We are seeing another 410 110 response (never seen before). It might be
> related.
> 
> E/GeckoConsole( 2206): Content JS LOG at
> app://loop.services.mozilla.com/js/helpers/client_request_helper.js:95 in
> _request/req.onload: ERROR 401: {"code":401,"errno":110,"error":"Malformed
> audience"}

Oops I forgot to comment that the trace I posted here was what the server responsed after sending a invalid assertion when hitting the same issue Mark reported. When the assertion is valid everything works.
See Also: → 1092061
1414763296893	Sync.BrowserIDManager	ERROR	Failed to fetch a token for authentication: AuthenticationError(TokenServerClientServerError({"now":"2014-10-31T13:48:16.889Z","message":"Authentication failed.","cause":"invalid-client-state","response_body":"{\"status\": \"invalid-client-state\", \"errors\": [{\"location\": \"body\", \"name\": \"\", \"description\": \"Unauthorized\"}]}","response_headers":{"content-type":"application/json; charset=UTF-8","date":"Fri, 31 Oct 2014 13:48:16 GMT","x-timestamp":"1414763296","content-length":"111","connection":"keep-alive"},"response_status":401}))

From 21.10.2014 up to now and still continues.
Quick note, Firefox Accounts was rolled back to a previous version (train-23) for now until we resolve the "invalid token" problem.
Whiteboard: [qa+]
After the rollback, things are mostly "normal". We're still investigating.
This should be resolved.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Michal, can you please open a separate bug for your "invalid-client-state" error if there isn't one already?  I don't think it's related to the other issues seen in this bug.
Flags: needinfo?(mpurzynski)
How about I bundle entire directory with errors from 25.10 up to now in a separate bug? Is there anything sensitive there that should not be public?
Flags: needinfo?(mpurzynski)
Chris, Nick Desaulniers is seeing the bug 1059787 version of this behavior again on FxOS 2.0. He may be using an out-of-date build; he's not sure. Can you give me any detail about what fixed it on the server side?
Flags: needinfo?(ckarlof)
I don't think Bug 1059787 is related to this fix.

This bug here was an error talking to the FxA server endpoints.  As far as I can tell it was triggered by a new deployment last week, and was fixed when we rolled back that deployment.

Bug 1059787 had been around for some time prior to that deployment and I would not expect it to have been fixed by the rollback.  We've also never seen Bug 1059787 before with sync, whereas this bug was reproducible on sync.  So I strongly suspect they are not related.
What :rfk said.
Flags: needinfo?(ckarlof)
You need to log in before you can comment on or make changes to this bug.