Can not get two-legged auth to work

[Shaninnik]

I am trying to setup two-legged device connection process for iOS app that I am developing, but connection always fails on the last step: Verify device ownership. I was able to successfully create shadow customer (https://docs.particle.io/reference/api/#create-a-customer---client-credentials), update it's oauth token (https://docs.particle.io/reference/api/#generate-a-customer-scoped-access-token), inject token with injectSessionAccessToken, but no matter what I do next, it always fails at Verify device ownership. Also after connecting to Photon Wi-Fi it gives me product ownership alert: "....do you want to override ownership to (null)?" so I guess there may be some issues with authentication.

If I use my regular particle account instead of the two-legged token everything works just fine.

I think that I have made a very stupid mistake somewhere, but can't understand where to look at...

[idokleinman]

Did you associate this photon ID with your product in console?

[Shaninnik]

Ohh..., as I have said - stupid mistake. It works now! Thanks, I would have never figured this out by myself - I guess it might be worth noting this somewhere in the documentation for two-legged auth process.

[williamhqs]

Hi @Shaninnik @idokleinman i am working on two -legged auth recently too. May i ask did you use SPK SDK methods or your own POST/GET to shadow customer?

If i follow the document the server side after create the user then generate (shadow) customer* by adding no_password field like below.

query: {"email":params["user"]["email"],"no_password":true}
response = HTTParty.post("https://api.particle.io/v1/products/my-product-one-v001/customers", body: query, basic_auth:{"username":"username","password":"password"})

Then as i get the access_token on server which used to generate claim code, but when i just use this access_token to generate claim code as document:
https://docs.particle.io/guide/how-to-build-a-product/authentication/#4-create-claim-code-amp-send-to-device

I got:

{
  "ok": false,
  "code": 400,
  "error": "activation code was empty"
}%

How should i do for the activation code? I see on IOS SDK said
@param activationCode - optional (can be nil) activation code string for products in private-beta mode - see Particle Dashboard for product creators
So i pass nil or "" doesn't work.

Just wondering should i use IOS SDK methods or my own if make shadow customer on IOS part if possible?

I see a method: -(nullable NSURLSessionDataTask *)signupWithCustomer:(NSString *)email password:(NSString *)password orgSlug:(NSString *)orgSlug completion:(nullable SparkCompletionBlock)completion

I guess this method can't be used for shadow customer? Because
https://docs.particle.io/reference/api/#create-a-customer---client-credentials mentioned no_password: true not provide on the above method in IOS SDK.

Short of lost. I am very appreciate it for any hints! Thank you!

[Shaninnik]

Hi @williamhqs The back-end part is very straightforward, no Spark SDK on server side, just plain POST requests. On user registration I also create shadow customer in the Particle Cloud:

public static async Task<CreateShadowCustumerResponse> CreateShadowCustomer(string email)
{
     var client = new RestClient("https://api.particle.io/");
     client.Authenticator = new HttpBasicAuthenticator(Config.ParticleClient, Config.ParticleSecret);

     var request = new RestRequest("v1/products/{productIdOrSlug}/customers", Method.POST);
     request.AddUrlSegment("productIdOrSlug", Config.ParticleProductId);

     request.AddParameter("email", email); // adds to POST or URL querystring based on Method
     request.AddParameter("no_password", true); // adds to POST or URL querystring based on Method

     var response = await client.ExecuteTaskAsync<CreateShadowCustumerResponse>(request);

     return response.Data;
}

And return access_token to the iOS app. Once returned in the iOS app I use

SparkCloud.sharedInstance().injectSessionAccessToken(accessToken)

Also I use OAuth2 for authentication internally, so every time I refresh my own access toke, I also do Particle access token refresh by calling

public static async Task<CreateShadowCustumerResponse> GenerateAccessToken(string email, long expires_in)
{
     var client = new RestClient("https://api.particle.io/");
     client.Authenticator = new HttpBasicAuthenticator(Config.ParticleClient, Config.ParticleSecret);

     var request = new RestRequest("/oauth/token", Method.POST);

     request.AddParameter("grant_type", "client_credentials"); 
     request.AddParameter("scope", "customer=" + email); 
     //request.AddParameter("expires_in", expires_in); 

     var response = await client.ExecuteTaskAsync<CreateShadowCustumerResponse>(request);

     return response.Data;
} 

And re-injecting new token after. That is all, all requests in Spark SDK will be authenticated if token was injected successfully. Everything else, apart from access token generation/refreshing is done on the iOS side using Spark SDK.

[williamhqs]

HI @Shaninnik Thank you for your response on time and sorry just have time today to continue on this then reply to you late : )

I get the token.
"access_token" = 027e7703f162097853bd0b3a6cbad367fc703f40; "expires_in" = 7776000; "refresh_token" = 94ad8525c9f460e15e5864b1432d143ac94dd1b7; scope = "[email protected]"; "token_type" = bearer;
"
but when i try to inject session,
SparkCloud.sharedInstance().injectSessionAccessToken(dic["access_token"] as! String)

I got the error. How about you?

'NSInternalInconsistencyException', reason: 'Couldn't add the Keychain Item.'
*** First throw call stack:

Thank you!

EIDT
Fixed.
http://stackoverflow.com/questions/39614125/keychainitemwrapper-couldnt-add-the-keychain-item

[rking788]

Sorry to bring back such an old issue but I seem to be experiencing the same problem and I tried the keychain fix above and that did not help. I can open a new issue if that makes more sense.

I am attempting to do two-legged authentication as well and the app makes it all the way through the setup process and fails on the Verify device ownership step. At this point the status LED is "breathing cyan" (not sure if its slowly or normally). At this point I have an oAuth client tied to my product, my server requests an access token and sends it to the iOS app and I call injectSessionAccessToken in the app with the newly returned access_token.

The iOS app logs show the following information during the setup process:

2017-07-03 11:46:45.097887-0400 myapp[6395:779138] DeviceID sent
2017-07-03 11:46:48.183594-0400 myapp[6395:779138] Could not send device-id command: Timeout occured while waiting for response from socket
2017-07-03 11:46:51.231478-0400 myapp[6395:779138] DeviceID sent
2017-07-03 11:46:51.260548-0400 myapp[6395:779138] DeviceID response received: <A_DEVICE_ID>
2017-07-03 11:46:51.260781-0400 myapp[6395:779138] PublicKey sent
2017-07-03 11:46:51.329365-0400 myapp[6395:779138] PublicKey response received
2017-07-03 11:46:51.329468-0400 myapp[6395:779138] ScanAP sent
2017-07-03 11:46:53.773406-0400 myapp[6395:779138] ScanAP response received
2017-07-03 11:46:53.773599-0400 myapp[6395:779138] Claim code - trying to set
2017-07-03 11:46:53.794780-0400 myapp[6395:779138] Device claim code set successfully: <A_CLAIM_CODE>
2017-07-03 11:46:56.761986-0400 myapp[6395:779138] SocketStream read error [0x1c416c000]: 1 54
2017-07-03 11:47:08.311010-0400 myapp[6395:779138] sparkSelectNetworkVC prepareForSegue : require_password
2017-07-03 11:47:08.986598-0400 myapp[6395:779138] Unbalanced calls to begin/end appearance transitions for <SparkSelectNetworkViewController: 0x1075804f0>.
2017-07-03 11:47:20.709688-0400 myapp[6395:779138] sparkSelectNetworkVC prepareForSegue : require_password
2017-07-03 11:47:21.329446-0400 myapp[6395:779138] Unbalanced calls to begin/end appearance transitions for <SparkSelectNetworkViewController: 0x1075804f0>.
2017-07-03 11:47:39.335176-0400 myapp[6395:779138] configureAP sent

Once it gets to the verify device ownerships step, I see these logs:

2017-07-03 11:47:45.380793-0400 myapp[6395:780395] TIC TCP Conn Failed [17:0x1c01702c0]: 12:8 Err(-65554)
2017-07-03 11:47:45.382503-0400 myapp[6395:781434] HTTP load failed (error code: -1003 [12:8]) for Task <135C02D4-ED7D-4734-857F-13B1924BC79C>.<2>
2017-07-03 11:47:45.383324-0400 myapp[6395:781227] Task <135C02D4-ED7D-4734-857F-13B1924BC79C>.<2> finished with error - code: -1003
2017-07-03 11:47:46.068452-0400 myapp[6395:781039] TIC TCP Conn Failed [18:0x1c41654c0]: 12:8 Err(-65554)
2017-07-03 11:47:46.070006-0400 myapp[6395:781434] HTTP load failed (error code: -1003 [12:8]) for Task <36DCC8E1-87FE-41C2-BFF7-FE057A79EC3B>.<0>
2017-07-03 11:47:46.070254-0400 myapp[6395:781434] NSURLConnection finished with error - code -1003
2017-07-03 11:47:46.493234-0400 myapp[6395:781227] TIC TCP Conn Failed [19:0x1c0170680]: 12:8 Err(-65554)
2017-07-03 11:47:46.496295-0400 myapp[6395:781227] HTTP load failed (error code: -1003 [12:8]) for Task <73FBCF19-9F16-4152-969E-0ECE147B9EB6>.<3>
2017-07-03 11:47:46.497651-0400 myapp[6395:781227] Task <73FBCF19-9F16-4152-969E-0ECE147B9EB6>.<3> finished with error - code: -1003
2017-07-03 11:47:47.183422-0400 myapp[6395:781227] TIC TCP Conn Failed [20:0x1c4166180]: 12:8 Err(-65554)
2017-07-03 11:47:47.184485-0400 myapp[6395:781434] HTTP load failed (error code: -1003 [12:8]) for Task <9E0158E2-AE59-4534-931E-7925B642F226>.<0>
2017-07-03 11:47:47.184781-0400 myapp[6395:780395] NSURLConnection finished with error - code -1003
2017-07-03 11:47:47.563108-0400 myapp[6395:781039] TIC TCP Conn Failed [21:0x1c0170200]: 12:8 Err(-65554)
2017-07-03 11:47:47.565489-0400 myapp[6395:781434] HTTP load failed (error code: -1003 [12:8]) for Task <22400F49-B5A9-49D7-BA03-90112160ED25>.<4>
2017-07-03 11:47:47.566685-0400 myapp[6395:781434] Task <22400F49-B5A9-49D7-BA03-90112160ED25>.<4> finished with error - code: -1003
2017-07-03 11:47:48.294099-0400 myapp[6395:781434] TIC TCP Conn Failed [22:0x1c416f600]: 12:8 Err(-65554)
2017-07-03 11:47:48.296635-0400 myapp[6395:780395] HTTP load failed (error code: -1003 [12:8]) for Task <0B3BA1C4-EFE6-4EF0-98F6-37773A30291B>.<0>
2017-07-03 11:47:48.297358-0400 myapp[6395:781227] NSURLConnection finished with error - code -1003
2017-07-03 11:47:48.659088-0400 myapp[6395:781227] TIC TCP Conn Failed [23:0x1c01702c0]: 12:8 Err(-65554)
2017-07-03 11:47:48.661091-0400 myapp[6395:781227] HTTP load failed (error code: -1003 [12:8]) for Task <935A18B0-FDAC-4A9E-ABF0-4A808AE64552>.<5>
2017-07-03 11:47:48.661891-0400 myapp[6395:781433] Task <935A18B0-FDAC-4A9E-ABF0-4A808AE64552>.<5> finished with error - code: -1003
2017-07-03 11:47:49.373349-0400 myapp[6395:780395] TIC TCP Conn Failed [24:0x1c0170680]: 12:8 Err(-65554)
2017-07-03 11:47:49.380477-0400 myapp[6395:781039] HTTP load failed (error code: -1003 [12:8]) for Task <0BAE2A1B-EF5E-463E-BF4E-2CC38144CF52>.<0>
2017-07-03 11:47:49.381320-0400 myapp[6395:781039] NSURLConnection finished with error - code -1003
2017-07-03 11:47:49.794590-0400 myapp[6395:781227] TIC TCP Conn Failed [25:0x1c01702c0]: 12:8 Err(-65554)
2017-07-03 11:47:49.796636-0400 myapp[6395:781227] HTTP load failed (error code: -1003 [12:8]) for Task .<6>
2017-07-03 11:47:49.797086-0400 myapp[6395:781039] Task .<6> finished with error - code: -1003
2017-07-03 11:47:50.404567-0400 myapp[6395:781433] TIC TCP Conn Failed [26:0x1c416e340]: 12:8 Err(-65554)
2017-07-03 11:47:50.405726-0400 myapp[6395:780395] HTTP load failed (error code: -1003 [12:8]) for Task <59812B11-CD3E-4A82-9DD9-01F552530F43>.<0>
2017-07-03 11:47:50.405955-0400 myapp[6395:780395] NSURLConnection finished with error - code -1003
2017-07-03 11:47:50.868221-0400 myapp[6395:781039] TIC TCP Conn Failed [27:0x1c41654c0]: 12:8 Err(-65554)
2017-07-03 11:47:50.869556-0400 myapp[6395:781433] HTTP load failed (error code: -1003 [12:8]) for Task <84208A0D-C120-49C9-8C03-BB153E2E5EB8>.<7>
2017-07-03 11:47:50.870103-0400 myapp[6395:781433] Task <84208A0D-C120-49C9-8C03-BB153E2E5EB8>.<7> finished with error - code: -1003
2017-07-03 11:47:51.530062-0400 myapp[6395:781433] TIC TCP Conn Failed [28:0x1c0164500]: 12:8 Err(-65554)
2017-07-03 11:47:51.532475-0400 myapp[6395:781039] HTTP load failed (error code: -1003 [12:8]) for Task <6B8234C8-BBA4-4A2A-BB62-5C45FEEE21F5>.<0>
2017-07-03 11:47:51.533257-0400 myapp[6395:781039] NSURLConnection finished with error - code -1003

It would be great to be able to get a resolution to this issue. Let me know if there is anything I can try or any additional debug information I can provide.