Contract Approval Not Launching

Joseph Garvey
edited October 18, 2023 in IM Services #1

I went through the Contract Approval tutorial - Building a Contract Approval application and downloaded the finished version and followed all the prerequisites. All looks good, but when I try to launch the app from a browser i get the following error:

                {
                  "error":"invalid_request",
                  "error_description": "Invalid redirect URI "
                }

I went back and made sure the redirect URI is set to https://localhost:4000

And I can't get past this invalid_request error?

«1

Answers

  • I was wondering if this could perhaps be an issue with the protocol. The Contract Approval app seems to run locally on http://localhost:4000 but the set up docs seem to say the redirect URL should be https://localhost:4000. Have you tried adding http://localhost:4000 to the redirect URL list?

  • Was this resolved? I'm facing same Issue

  • gvicari
    gvicari E mod
    edited January 2 #4

    The Contract Approval App should run on https://localhost:4000.

    Can you please make sure that you have indeed properly populated the .env file.

    It should look something like this:
    HTTPS=true
    PORT=4000
    REACT_APP_BASE_SERVICE_URL=https://na-1-dev.api.opentext.com
    REACT_APP_CSS_SERVICE_URL=https://css.na-1-dev.api.opentext.com
    REACT_APP_TENANT_ID=a9b144d5-4203-4acb-b9ce-cd265c8e3465
    REACT_APP_CLIENT_ID=G1HTxjjLGeEgBb4t648bLBIf1BRR954t
    REACT_APP_REDIRECT_URI=https://localhost:4000

    You also need to make sure you have configured the https://localhost:4000 redirect URL on the Public service client of the app (in the developer.opentext.com Admin Center):

  • Thank you for your input @gvicari - We were able to get past it, our root cause was, we had applied some extra chars at the end of the url in the Admin Centre, changing that resolved the issue. Although the copy of code we have did not have the REACT_APP_CSS_SERVICE_URLI have added it. We are now facing this Issue where we are getting "access denied" error. We end up having to click "Reset" Button to reach here.

  • @Aniket123, the latest version of the Contract Approval application is available here: https://github.com/opentext/demo-contract-approval-app. As you will see the .env file ( https://github.com/opentext/demo-contract-approval-app/blob/master/.env ) does contain REACT_APP_CSS_SERVICE_URL. I recommend to use that version of the Contract Approval App. This allows you to always have the latest version. We will soon update the tutorial accordingly (i.e.: to also point to the GitHub location).

  • Took, the latest version, still facing the "access denied" error for the scope items.

  • @Aniket123, it's probably worth to do a basic test (if you didn't already) to see whether or not you can get an access token and do a proper API call afterwards. The best way to do that is to us the postman collection and environment available from the /docs folder in the Contract Approval App project.

    Once you have imported both the Cloud Developer Tutorial Postman collection and environment into Postman, execute (from Postman) the /Cloud Developer Tutorial/Get access token with username/password request to get an access token (make sure there is no error ⇒ you should get a Status: 200 OK result). After that, just try to execute the /Cloud Developer Tutorial/Content Metadata Service (CMS)/namespaces/Get all namespaces request. It should return all namespaces in your developer tenant.

    If this works, we can investigate further with the app. If it doesn't, we should first get this to work.

    1. We had tried getting bearer token with success and accessing the Capture service APIs, this is using client Id and secret. → will further try what you have suggested.

    2. In similar manner we were also able to get token using the "OCP-sso-sample-application-main" project. So what works is using the secret key at org level, tenant level and app level, as for using the PKCE method it works at tenant page using the public client Id, On the User page we tried using PKCE option with public client ID of the App and we get same error of access denied (Reason I'm putting this here is if we are taking wrong approach with User page it can come to light)

    And last but not the least thank you @gvicari for giving us pointers so quickly. 👍️

  • One correction, In the sso project the Organization page and its public client takes us to OAuth login page and gives us token using PKCE method (not at tenant level as mentioned incorrectly by me earlier).

  • @Aniket123, as an alternative/additional test, you could clone the Contract Approval App from GitHub (https://github.com/opentext/demo-contract-approval-app). It is the most recent version (it gets updated on a regular basis), and I just ran through updating + testing it yesterday.

    Make sure to indeed clone it (so you can git pull on a regular basis to get the latest and greatest) and to install the latest LTS versions of NodeJS ( https://nodejs.org/en ) and Java ( https://www.oracle.com/java/technologies/downloads/ ), along with the latest version of MS VS Code and the OpenText Cloud Developer Tools extension pack.

    Once cloned, in VS Code, run npm install (via terminal) and deploy the project to your OpenText Cloud Platform (developer) organization (and tenant). Make sure to rename or delete any already existing Contract Approval apps to avoid conflicts when deploying. Use the credentials returned by the deployment to fill the .env file (you should use tenant id and public client id).

    In Admin Center, at the organization level, make sure to add https://localhost:4000 as redirect URL for the Contract Approval App. Add your user in all three the Line Managers, Risk Managers and Administrators groups in the Contract Approval App, but this time at the tenant level, to ensure you will see all application tabs.

    Back in VS Code, from the terminal, run npm start. If you cannot log in, reset your password from the log in screen.

    If you can still not log in, or don't even get a log in screen (i.e.: error of some sort), please let me know (let me know which step fails, getting logging screen or logging in after entering credentials).

  • Will give a fresh try. (FYI - previously at organization level when login screen was showing, our creds were not working, later we figured, that the organization password are different from the OT connect ones :-) lesson learnt )

  • @Aniket123, yes, and be careful, the Tenant level one can also be independently set. I.e.: that's why I mentioned using the "reset password" option in the login screen if you get access denied issues after logging in. Cheers.

  • Was able to see the login screen, reached here after login

  • gvicari
    gvicari E mod
    edited January 3 #15

    That's because you didn't add your user to the groups in the application. In Admin Center, you need to go to /<organization>/Tenants/<tenant>/Apps/Contract Approval/Groups and put your user in the administrators, line_managers and risk_managers groups. You can also put a user in contract_approval_users (without adding them to any other group), but that will result in not seeing the line manager and risk manager tasks tabs for that user.

    You should see something like this (example of line_managers group):

    You can see how this message is generated (and why) when looking in the code of the Contract Approval App.

  • You are right, after adding the ID to groups

  • FYI - for some reason on a windows machine still had to switch it to unix to get the project working. We are now able to create Contract→ send it for approval. Will continue testing and investigating. Thanks a ton @gvicari

  • Regarding the End Of Line problem, normally, when you clone from VS Code using a Git client (VS Code git client) it will automatically convert to the EOL for your operating system.

    You can verify (in terminal in VS Code) what the current setting is for this auto convert via command:
    git config --global --get core.autocrlf

    This should return true.

    If it doesn't, you can set it to true with git config --global core.autocrlf true.
    If you then clone the demo-contract-approval-app GitHub repository (you can try in a different folder to test), all files should use CRLF EOL.

    You might also have LF if you download a ZIP file instead of cloning via Git client.

  • Hello, I have the same problem , I can consum the API's with postman (get access token , creating types …) but I can't access the app , getting this error although the redirect url is configured in the app , any idea on what may be the issue ? Thanks

  • @Med_2024, when a redirect is invalid (as per earlier explanation in this thread) this is most likely caused by the redirect URL configuration for the deployed application's public client not being correct. It needs to exactly match the URL of the application running on your machine, in the tutorial/GitHub this should be https://localhost:4000.

    You can also find this explained in a little more detail under the "Public Service Client redirect URL" section of the README of https://github.com/opentext/demo-contract-approval-app.

  • Thank you @gvicari for your reply , so after verifying the redirect URL configuration as you mentioned , I 'm getting the following error "Scope 'create_publications' not configured on this OAuth client" , I don't know how add this scope ,

    The scopes supported from https://na-1-dev.api.opentext.com/tenants/%3Ctenant_id%3E/.well-known/openid-configuration ⇒ "scopes_supported":["openid","otds:groups","otds:roles"]

  • @Med_2024, can you try the previously (in thread) described way of getting a token via Postman, using username/password?

    For your convenience:

    Use postman collection and environment available from the /docs folder in the Contract Approval App project. Once you have imported both the Cloud Developer Tutorial Postman collection and environment (please use confidential client and client secret returned when first deploying application) into Postman, execute (from Postman) the /Cloud Developer Tutorial/Get access token with username/password request to get an access token (make sure there is no error ⇒ you should get a Status: 200 OK result).

    Note that the access token you get should contain the following (or something similar) in the JSON response payload:
    "scope": "create_publications view_publications search_publications delete_publications readwrite otds:roles otds:groups search",

    After that, just try to execute the /Cloud Developer Tutorial/Content Metadata Service (CMS)/namespaces/Get all namespaces request. It should return all namespaces in your developer tenant.

    If all this works, you still have an issue with the app, if it doesn't, we need to have a deeper look at your developer organization/tenant. Let me know the results.

  • @gvicari , I confirm that all Postman collection is successufully executed , including obviously the /Cloud Developer Tutorial/Get access token with username/password , also the scope you mentioned as you can see in the attached images

    Also the scope error :

  • @Med_2024, if you are indeed using the correct public client ID and tenant id, there might be an issue with your client. Once you confirmed all is indeed correct from tenant id/public client id perspective, could you please share the last four characters from your public client ID of the application at organization level (Public client under /<your organization>/Apps/Contract Approval/Clients in Admin Center) and the four last characters of the tenant ID, so that we can investigate from our side to see if there's something wrong in your deployed application.

    What you could also do before that (If that is an option) is delete the entire application (from tenant and organization ⇒ beware, you might need to use Postman to delete deployed artifacts and created instances) and if you don't mind going further, even delete the tenant and recreate it AND redeploy the application after. This might fix things, just because you fully reset (delete/recreate) your tenant and app.

  • Med_2024
    edited January 8 #26

    @gvicari , TENANT_ID=**********5b8a

    CLIENT_ID=*******V2wX , thank you for the investigation , in the meanwhile is there a way to check the configuration of the oAuth client of the app ?

  • @Roger K, would you be able to have a look at the above problem, maybe you can help with the investigation?

  • Getting this error message after clicking on "Line Manager tasks" tab

  • FYI - This is resolved, there were 2 tasks created from when groups/ assignment were not setup properly, we had to delete their assignments and it seemed to resolve the issue.

  • @Med_2024, please can you generate another application and test with the public client of that app?

    How long ago did you create the application you are using?

  • @Roger K , I started using the platform on the 4th of January and have been creating several apps since then. The latest one was created this morning, but I keep encountering an error

    1. error_reason: scope_not_permitted
    2. error_description: Scope 'create_publications' not configured on this OAuth client

    Couldn't guess what can be wrong , or how to chech the OAuth client configuration.