[source-facebook-marketing] Unable to parse access token

[RocketerJames]

Connector Name

source-facebook-marketing

Connector Version

3.3.6

What step the error happened?

Updating the connector

Relevant information

Hello,

It appears that since a recent change to "Add Selectable Auth" (#37625) I am no longer able to edit or create sources using the Airbyte authentication credentials (passing a secretId).

• Editing sources via the UI (Airbyte Cloud) that were created using this flow fail with the error 'Cannot parse access token'.
• Creating sources using the API fail with the error 'Missing param auth_type'. This parameter doesn't appear documented in the Airbyte API docs.
• I am not able to create new source using Facebook Marketing in the UI (Airbyte Cloud) resulting in the same access token parsing error. Apologies if I am doing something wrong here: creating a new Facebook Marketing source, authenticating Airbyte and adding an account ID.

Apologies if this is more of an Airbyte Cloud/API issue than a source/connector issue.

Regards.

Relevant log output

Status:  400
  Response:
    {
      "error": {
        "message": "Invalid OAuth access token - Cannot parse access token",
        "type": "OAuthException",
        "code": 190,
        "fbtrace_id": "XXX"
      }
    })

Contribute

• Yes, I want to contribute

[marcosmarxm]

@RocketerJames, no need to apologize! It's a tough problem, and thanks for reporting it.

@airbytehq/critical-connectors can someone take a look or have more information about this issue?

[bazarnov]

@marcosmarxm I've just successfully created another source with the OAuth2.0 authentication with no issues; it seems like the Customer wants to create his source using airbyte api, which is beyond the scope of @airbytehq/dev-python, we should poke the move instead.

If there is an issue passing the creds, like it was before, the request should contain:

{
   ...,
   credentials: {
      "auth_type": "Client", # for OAuth2.0 and "Service" - for ServiceAccount authentication.
      "access_token": <token_here>,
      "client_id": <client_id_value_here>,
      "client_secret" <client_secret_value_here>,
   },
   ...
}

[RocketerJames]

Hi Baz, Sorry we are using the “secretId” functionality. I am not passing my own oauth access token or secret. Since the authentication changes, the support for utilising a secret id (airbyte oauth flow) has been broken. I think this may be api/cloud related rather than the source itself as it feels this is a layer on top.

[bazarnov]

@RocketerJames cc

@marcosmarxm Let's check whether or not we have manual override for the client_secret, for this Customer in our DB, i think i get the issue here, and it might be not related to the airbyte api.

@tybernstein Sorry poking you here, but we have to understand ehat under the hood here in terms of how the Customer is authenticated.

@RocketerJames can you please provide the link for your connection for Airbyte Cloud?

[RocketerJames]

Example source that will no longer Test and Save in Airbyte Cloud: https://cloud.airbyte.com/workspaces/67d97a43-3b9f-4c06-95af-379df8a503c0/source/7668f3d0-ed63-43df-b8e3-58bb17c6e6d6

Connection utilising that source that now longer syncs: https://cloud.airbyte.com/workspaces/67d97a43-3b9f-4c06-95af-379df8a503c0/connections/fe765bca-2f9c-44e7-85d5-7fca28fdfa5f/status

Thanks @bazarnov !

[bazarnov]

@cmm-airbyte Please take a look; since this is related to the selective auth changes, probably, the config was not migrated correctly and thus failed to be validated with no auth_type applied to it.

[wmikemoon]

@cmm-airbyte @bazarnov Any update here?

[bazarnov]

@wmikemoon I'll take a look as soon as possible.

[bazarnov]

@aldogonzalez8 You could probably speak out loud here since this issue should be fixed by now. Aldo, could you please confirm that this has been resolved on the connector registry side?

[wmikemoon]

@bazarnov @aldogonzalez8

User is still running into issues. Here's what they have tried:

• Re-authenticating existing broken sources still returns the same error
• Creating a new source returns the same error
• Creating a new source via the Cloud API returns an error

Can we have next steps, please?

[bazarnov]

@wmikemoon The next steps would be to address the error message:

Status:  400
  Response:
    {
      "error": {
        "message": "Invalid OAuth access token - Cannot parse access token",
        "type": "OAuthException",
        "code": 190,
        "fbtrace_id": "XXX"
      }
    })

To the Facebook Support Team, since it's clearly not on our side.

I assume this could be related to the Customer account they want to use for Airbyte (Facebook account and account ID).

[RocketerJames]

Hey @bazarnov , just some food for thought as I obviously have no visibility or full understanding on the Cloud UI/API but all my current Facebook Marketing connections are running fine. This only has happened to Facebook Marketing sources that I've edited or since created using the Airbyte Auth flow (I am not directly providing my own personal OAuth token).

In addition and in parallel, creating a new Facebook Marketing source via the Cloud API is also failing. Here, I am providing a secret_id as described here: https://reference.airbyte.com/reference/initiateoauth. Here I should be able to provide a secret_id returned in the browser flow instead of OAuth credentials utilising Airbyte as the application granted access to our accounts.

Both these issues 'appear' to have started when a change the Facebook Marketing connector auth options was made (mentioned above). There is also an introduction of a new parameter 'auth_type' which is not documented here: https://reference.airbyte.com/reference/createsource . Do you know what I should pass in this parameter if I am using the 'secret_id' auth flow? I think this flow that I am using perhaps isn't fully up-to-date with the latest connector changes maybe?

[bazarnov]

@wmikemoon I've discovered that their current access_token saved for their source configuration is shorter than it's expected to be:

• the access token they obtain consists of 20 symbols versus the one that should emit 200 symbols.

This is exactly the issue they have, and it could probably be related to the Facebook Business lib version, we use >= 19, and for unknown reason the access_token they receive after the re-auth is way too short than we need. The suitable version, I believe, to be able to run the saved source should be the ==17.x.x version.

This problem is related to the config migration process, which ignores custom client_id / client_secret and overrides it with the ones we provide, since it's not authorized to be accessed, the new token couldn't be just obtained correctly, because after the config migration we use airbyte auth flow credentials (client_id / secret) which is we normally do for everyone, but I'm not familiar with secret_id auth flow, mentioned, yet.

[bazarnov]

@RocketerJames Could you please refer to your Facebook Account and your Auth App created and validate the api version eligible to work with? Could that be the fact it still refers to v.17, instead of v.19, thus causing the issues for this secret_id auth flow?

[RocketerJames]

@bazarnov The app belongs to Airbyte. To confirm, we don't pass in our own auth credentials at all. Airbyte has a Facebook app that acts on behalf as described here: https://reference.airbyte.com/reference/initiateoauth so we don't generate the tokens or store them. This is where I think the process is failing.

[RocketerJames]

@bazarnov Just to help further, this is also what is presented when I click on Authenticate your Facebook Marketing account via the Cloud UI in order to set up a new source (and which fails once I click Set up source):

[bazarnov]

@RocketerJames I'm totally confused by this message:

Sorry we are using the “secretId” functionality.

When you say you use the secretId functionality, what exactly do you mean?

[bazarnov]

Could you please record the screencast of your actions (from start to end with failure) ? so we can reproduce the same on our end and tell you more? @RocketerJames

[RocketerJames]

@bazarnov sure thing, is there a way I send privately or via the support ticket perhaps?

Instead of providing oAuth credentials (token, client id etc), Airbyte Cloud API provides a way of utilising their Facebook app credentials which instead (via a three-legged browser flow) that provides a 'secret_id' and I pass this to the API instead when creating a new source.

[bazarnov]

@RocketerJames

via the support ticket perhaps?

yes, please

@wmikemoon Could you please facilitate this process and share the screencast you receive later on in DM or via LastPass secret note? Thank you!

[RocketerJames]

Hi @bazarnov , I've sent links to three screencasts via the existing support ticket (6993):
1: Showing setting up a new source from scratch that fails
2: The curl request via the documentation failing (mainly showing the secretId parameter)
3: Editing functional connection source via the cloud UI without any changes that immediately fails during the 'Test and Save' feature.

[bazarnov]

@RocketerJames Once I receive all the details and review them, I'll get back to you here. Thank you for your time and effort on this.

[RocketerJames]

Hi @bazarnov , to save you some time, I have now resolved this:

• Different browser and in incognito worked with no error but the exact same process (I did try this at the early stages of the ticket
• Although not documented, looking at existing connections, if I pass '"credentials":{"auth_type":"Client"}' alongside the 'secretId' parameter is now working via the Cloud API.

Apologies for wasting your time on this! I am going to close.

[bazarnov]

@RocketerJames You're rockstar. Thank you.