Token exchange refused

Hello,

I have installed stack v3.7.0 on ubuntu server by using official procedure : https://thethingsstack.io/v3.7.0/guides/getting-started/

image

image

When I try to log in, I have this message :

image

On console at the same time :

stack_1      |   INFO Request handled                          duration=36.717µs location=/console method=GET namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X8HK9ZY18F5DFSSS3Q8C4 response_size=0 status=302 url=/
stack_1      |   INFO Request handled                          duration=1.075611ms method=GET namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X8HKG1M7C9YWHHDNV1JBR response_size=1949 status=200 url=/console
stack_1      |   INFO Request handled                          duration=25.868675ms method=GET namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X8J9701P0TGGMZNEB6T4Z response_size=253 status=401 url=/console/api/auth/token
stack_1      |   INFO Request handled                          duration=1.514713ms method=POST namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X8JCXYSJPYEVQKRGGGM0X response_size=253 status=401 url=/console/api/auth/logout
stack_1      |   INFO Request handled                          duration=163.897µs location=/oauth/authorize?client_id=console&redirect_uri=%2Fconsole%2Foauth%2Fcallback&response_type=code&state=n0GSRA3Ct6G3AoYh method=GET namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X8PXMKT0NCDYVW7YYXRH5 response_size=0 status=302 url=/console/login/ttn-stack
stack_1      |   INFO Request handled                          duration=81.944µs location=/oauth/login?n=%2Foauth%2Fauthorize%3Fclient_id%3Dconsole%26redirect_uri%3D%252Fconsole%252Foauth%252Fcallback%26response_type%3Dcode%26state%3Dn0GSRA3Ct6G3AoYh method=GET namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X8PXT37JNFYVEZWKXGTK3 response_size=0 status=302 url=/oauth/authorize?client_id=console&redirect_uri=%2Fconsole%2Foauth%2Fcallback&response_type=code&state=n0GSRA3Ct6G3AoYh
stack_1      |   INFO Request handled                          duration=996.216µs method=GET namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X8PY0EJBKB3BMXT8YMGTB response_size=1364 status=200 url=/oauth/login?n=%2Foauth%2Fauthorize%3Fclient_id%3Dconsole%26redirect_uri%3D%252Fconsole%252Foauth%252Fcallback%26response_type%3Dcode%26state%3Dn0GSRA3Ct6G3AoYh
stack_1      |   INFO Request handled                          duration=476.605µs method=GET namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X8Q7K68YPDETADE86SSEV response_size=248 status=401 url=/oauth/api/me
stack_1      |   INFO Request handled                          duration=150.238655ms method=POST namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X93GV6R0X1RQAHQ7RCR27 response_size=0 status=204 url=/oauth/api/auth/login
stack_1      |   INFO Request handled                          duration=135.322362ms location=/console/oauth/callback?code=MF2XI.KL2OEOXOFGCRROMX5RRF4KMMMVJP45FTEJG7Y6Q.EV2ODKI7QN3Q5OXUBK2J24IWX45RZ53QCVGCGPWBIAE5KRSWB3BA&state=n0GSRA3Ct6G3AoYh method=GET namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X93NX8M8VMKE7XT57TFD0 response_size=0 status=302 url=/oauth/authorize?client_id=console&redirect_uri=%2Fconsole%2Foauth%2Fcallback&response_type=code&state=n0GSRA3Ct6G3AoYh
stack_1      |   WARN error=unauthorized_client, internal_error=<nil> get_client=client check failed, client_id=console namespace=identityserver
stack_1      |   WARN OAuth error                              error=error:pkg/oauth:unauthorized_client (client is not authorized to request a token using this method) method=POST namespace=web remote_addr=127.0.0.1:45806 request_id=01E61X93V6PXCKD7MGQQ2D0YCW url=/oauth/token
stack_1      |   INFO Request handled                          duration=58.680414ms method=POST namespace=web remote_addr=127.0.0.1:45806 request_id=01E61X93V6PXCKD7MGQQ2D0YCW response_size=338 status=403 url=/oauth/token
stack_1      |   INFO Request handled                          duration=84.374535ms method=GET namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X93TGKQGS0KQAXD1NZWVC response_size=2387 status=403 url=/console/oauth/callback?code=MF2XI.KL2OEOXOFGCRROMX5RRF4KMMMVJP45FTEJG7Y6Q.EV2ODKI7QN3Q5OXUBK2J24IWX45RZ53QCVGCGPWBIAE5KRSWB3BA&state=n0GSRA3Ct6G3AoYh
stack_1      |   INFO Request handled                          duration=426.282µs method=GET namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X94MD86QBT9TKGGD21W5D response_size=253 status=401 url=/console/api/auth/token
stack_1      |   INFO Request handled                          duration=507.591µs method=POST namespace=web remote_addr=192.168.1.53:22769 request_id=01E61X94P5EG1PSY99WS59HKM2 response_size=253 status=401 url=/console/api/auth/logout

Could anybody hely me please ?

I have run stack with config parameter
sudo docker-compose run --rm stack config
All URL are http://localhost:1885…, bu my server is not on local computer

How could I change these URLs ?

demo@ubuntu1910:~/lorawan-stack$ sudo docker-compose run --rm stack config
Starting lorawan-stack_cockroach_1 ... done
Starting lorawan-stack_redis_1     ... done
                                           --as.device-kek-label=""
                                        --as.interop.blob.bucket=""
                                          --as.interop.blob.path=""
                                      --as.interop.config-source=""
                                          --as.interop.directory=""
                                                 --as.interop.id=""
                                                --as.interop.url=""
                                                  --as.link-mode="all"
                                                --as.mqtt.listen=":1883"
                                            --as.mqtt.listen-tls=":8883"
                                        --as.mqtt.public-address="localhost:1883"
                                    --as.mqtt.public-tls-address="localhost:8883"
                           --as.webhooks.downlink.public-address="http://localhost:1885/api/v3"
                       --as.webhooks.downlink.public-tls-address=""
                                        --as.webhooks.queue-size="16"
                                            --as.webhooks.target="direct"
                               --as.webhooks.templates.directory=""
                           --as.webhooks.templates.logo-base-url=""
                                     --as.webhooks.templates.url=""
                                           --as.webhooks.timeout="5s"
                                           --as.webhooks.workers="16"
                                        --blob.aws.access-key-id=""
                                             --blob.aws.endpoint=""
                                               --blob.aws.region=""
                                    --blob.aws.secret-access-key=""
                                        --blob.aws.session-token=""
                                          --blob.gcp.credentials=""
                                     --blob.gcp.credentials-file=""
                                          --blob.local.directory="/srv/ttn-lorawan/public/blob"
                                                 --blob.provider="local"
                                           --cache.redis.address=""
                                          --cache.redis.database="0"
                                --cache.redis.failover.addresses=""
                                   --cache.redis.failover.enable="false"
                              --cache.redis.failover.master-name=""
                                         --cache.redis.namespace=""
                                          --cache.redis.password=""
                                         --cache.redis.pool-size="0"
                                                 --cache.service=""
                                               --cluster.address=""
                                    --cluster.application-server=""
                                         --cluster.crypto-server=""
                                        --cluster.gateway-server=""
                                       --cluster.identity-server=""
                                                  --cluster.join=""
                                           --cluster.join-server=""
                                                  --cluster.keys=""
                                                  --cluster.name=""
                                        --cluster.network-server=""
                                                   --cluster.tls="false"
                                                        --config="/config/ttn-lw-stack.yml"
                                                 --console.mount=""
                                   --console.oauth.authorize-url="http://localhost:1885/oauth/authorize"
                                       --console.oauth.client-id="console"
                                   --console.oauth.client-secret="console"
                                       --console.oauth.token-url="http://localhost:1885/oauth/token"
                                        --console.ui.as.base-url="http://localhost:1885/api/v3"
                                         --console.ui.as.enabled="true"
                                    --console.ui.assets-base-url="/assets"
                                  --console.ui.branding-base-url=""
                                      --console.ui.canonical-url="http://localhost:1885/console"
                                           --console.ui.css-file="console.css"
                                       --console.ui.descriptions=""
                                      --console.ui.edtc.base-url="http://localhost:1885/api/v3"
                                       --console.ui.edtc.enabled="true"
                                        --console.ui.gs.base-url="http://localhost:1885/api/v3"
                                         --console.ui.gs.enabled="true"
                                        --console.ui.icon-prefix="console-"
                                        --console.ui.is.base-url="http://localhost:1885/api/v3"
                                         --console.ui.is.enabled="true"
                                            --console.ui.js-file="console.js"
                                        --console.ui.js.base-url="http://localhost:1885/api/v3"
                                         --console.ui.js.enabled="true"
                                           --console.ui.language="en"
                                        --console.ui.ns.base-url="http://localhost:1885/api/v3"
                                         --console.ui.ns.enabled="true"
                                       --console.ui.qrg.base-url="http://localhost:1885/api/v3"
                                        --console.ui.qrg.enabled="true"
                                          --console.ui.site-name="The Things Stack for LoRaWAN"
                                          --console.ui.sub-title="Management platform for The Things Stack for LoRaWAN"
                                       --console.ui.support-link=""
                                        --console.ui.theme-color=""
                                              --console.ui.title="Console"
                                 --device-repository.blob.bucket=""
                                   --device-repository.blob.path=""
                               --device-repository.config-source=""
                                   --device-repository.directory=""
                                         --device-repository.url=""
                                                   --dtc.enabled=""
                                                --events.backend="internal"
                                      --events.cloud.publish-url=""
                                    --events.cloud.subscribe-url=""
                                          --events.redis.address=""
                                         --events.redis.database="0"
                               --events.redis.failover.addresses=""
                                  --events.redis.failover.enable="false"
                             --events.redis.failover.master-name=""
                                        --events.redis.namespace=""
                                         --events.redis.password=""
                                        --events.redis.pool-size="0"
                                   --frequency-plans.blob.bucket=""
                                     --frequency-plans.blob.path=""
                                 --frequency-plans.config-source=""
                                     --frequency-plans.directory=""
                                           --frequency-plans.url="https://raw.githubusercontent.com/TheThingsNetwork/lorawan-frequency-plans/master"
                       --gcs.basic-station.allow-cups-uri-update="false"
                             --gcs.basic-station.default.lns-uri="wss://localhost:8887"
              --gcs.basic-station.owner-for-unknown.account-type=""
                   --gcs.basic-station.owner-for-unknown.api-key=""
                        --gcs.basic-station.owner-for-unknown.id=""
                     --gcs.basic-station.require-explicit-enable="false"
                                              --gcs.require-auth="true"
                   --gcs.the-things-gateway.default.firmware-url="https://thethingsproducts.blob.core.windows.net/the-things-gateway/v1"
                    --gcs.the-things-gateway.default.mqtt-server="mqtts://localhost:8881"
                 --gcs.the-things-gateway.default.update-channel="stable"
                           --grpc.allow-insecure-for-credentials="false"
                                                   --grpc.listen=":1884"
                                               --grpc.listen-tls=":8884"
                   --gs.basic-station.fallback-frequency-plan-id=""
                                       --gs.basic-station.listen=":1887"
                                   --gs.basic-station.listen-tls=":8887"
                      --gs.basic-station.use-traffic-tls-address="false"
                             --gs.basic-station.ws-ping-interval="30s"
                                                    --gs.forward="=00000000/0"
                                             --gs.mqtt-v2.listen=":1881"
                                         --gs.mqtt-v2.listen-tls=":8881"
                                     --gs.mqtt-v2.public-address="localhost:1881"
                                 --gs.mqtt-v2.public-tls-address="localhost:8881"
                                                --gs.mqtt.listen=":1882"
                                            --gs.mqtt.listen-tls=":8882"
                                        --gs.mqtt.public-address="localhost:1882"
                                    --gs.mqtt.public-tls-address="localhost:8882"
                                --gs.require-registered-gateways="false"
                                      --gs.udp.addr-change-block="1m0s"
                                     --gs.udp.connection-expires="1m0s"
                                  --gs.udp.downlink-path-expires="15s"
                                              --gs.udp.listeners=":1700="
                                          --gs.udp.packet-buffer="50"
                                        --gs.udp.packet-handlers="16"
                                   --gs.udp.rate-limiting.enable="true"
                                 --gs.udp.rate-limiting.messages="10"
                                --gs.udp.rate-limiting.threshold="10ms"
                                     --gs.udp.schedule-late-time="800ms"
                      --gs.update-connection-stats-debounce-time="3s"
                      --gs.update-gateway-location-debounce-time="1h0m0s"
                                         --http.cookie.block-key=""
                                          --http.cookie.hash-key=""
                                            --http.health.enable="true"
                                          --http.health.password=""
                                                   --http.listen=":1885"
                                               --http.listen-tls=":8885"
                                           --http.metrics.enable="true"
                                         --http.metrics.password=""
                                             --http.pprof.enable="true"
                                           --http.pprof.password=""
                                         --http.redirect-to-host=""
                                          --http.redirect-to-tls="false"
                                             --http.static.mount="/assets"
                                       --http.static.search-path="public,/srv/ttn-lorawan/public"
                                            --interop.listen-tls=":8886"
                          --interop.sender-client-ca.blob.bucket=""
                            --interop.sender-client-ca.blob.path=""
                            --interop.sender-client-ca.directory=""
                               --interop.sender-client-ca.source=""
                                  --interop.sender-client-ca.url=""
                                     --interop.sender-client-cas=""
                                  --is.auth-cache.membership-ttl="10m0s"
                                               --is.database-uri="postgres://root@cockroach:26257/ttn_lorawan?sslmode=disable"
                                  --is.email.network.console-url="http://localhost:1885/console"
                          --is.email.network.identity-server-url="http://localhost:1885/oauth"
                                         --is.email.network.name="The Things Stack for LoRaWAN"
                                             --is.email.provider=""
                                       --is.email.sender-address=""
                                          --is.email.sender-name=""
                                     --is.email.sendgrid.api-key=""
                                     --is.email.sendgrid.sandbox="false"
                                         --is.email.smtp.address=""
                                     --is.email.smtp.connections="0"
                                        --is.email.smtp.password=""
                                        --is.email.smtp.username=""
                                --is.email.templates.blob.bucket=""
                                  --is.email.templates.blob.path=""
                                  --is.email.templates.directory=""
                                   --is.email.templates.includes=""
                                     --is.email.templates.source=""
                                        --is.email.templates.url=""
                                  --is.end-device-picture.bucket="end_device_pictures"
                              --is.end-device-picture.bucket-url="/assets/blob/end_device_pictures"
                                                --is.oauth.mount=""
                                   --is.oauth.ui.assets-base-url="/assets"
                                 --is.oauth.ui.branding-base-url=""
                                     --is.oauth.ui.canonical-url="http://localhost:1885/oauth"
                                          --is.oauth.ui.css-file="oauth.css"
                                      --is.oauth.ui.descriptions=""
                                       --is.oauth.ui.icon-prefix="oauth-"
                                       --is.oauth.ui.is.base-url="http://localhost:1885/api/v3"
                                        --is.oauth.ui.is.enabled="true"
                                           --is.oauth.ui.js-file="oauth.js"
                                          --is.oauth.ui.language="en"
                                         --is.oauth.ui.site-name="The Things Stack for LoRaWAN"
                                         --is.oauth.ui.sub-title=""
                                       --is.oauth.ui.theme-color=""
                                             --is.oauth.ui.title=""
                                     --is.profile-picture.bucket="profile_pictures"
                                 --is.profile-picture.bucket-url="/assets/blob/profile_pictures"
                               --is.profile-picture.use-gravatar="true"
                  --is.user-registration.admin-approval.required="false"
         --is.user-registration.contact-info-validation.required="false"
                      --is.user-registration.invitation.required="false"
                     --is.user-registration.invitation.token-ttl="168h0m0s"
         --is.user-registration.password-requirements.max-length="1000"
         --is.user-registration.password-requirements.min-digits="1"
         --is.user-registration.password-requirements.min-length="8"
        --is.user-registration.password-requirements.min-special="0"
      --is.user-registration.password-requirements.min-uppercase="1"
                                           --js.device-kek-label=""
                                            --js.join-eui-prefix="0000000000000000/0"
                                            --key-vault.provider="static"
                                              --key-vault.static=""
                                                     --log.level="info"
                                            --ns.cooldown-window="1s"
                                       --ns.deduplication-window="200ms"
                            --ns.default-mac-settings.adr-margin="15"
                       --ns.default-mac-settings.class-b-timeout="1m0s"
                       --ns.default-mac-settings.class-c-timeout="5m0s"
                     --ns.default-mac-settings.desired-rx1-delay="5"
              --ns.default-mac-settings.status-count-periodicity="200"
               --ns.default-mac-settings.status-time-periodicity="24h0m0s"
                                          --ns.dev-addr-prefixes=""
                                           --ns.device-kek-label=""
                            --ns.downlink-priorities.join-accept="highest"
                           --ns.downlink-priorities.mac-commands="highest"
               --ns.downlink-priorities.max-application-downlink="high"
                                        --ns.interop.blob.bucket=""
                                          --ns.interop.blob.path=""
                                      --ns.interop.config-source=""
                                          --ns.interop.directory=""
                                                --ns.interop.url=""
                                                     --ns.net-id="000000"
                                                 --redis.address="redis:6379"
                                                --redis.database="0"
                                      --redis.failover.addresses=""
                                         --redis.failover.enable="false"
                                    --redis.failover.master-name=""
                                               --redis.namespace="ttn,v3"
                                                --redis.password=""
                                               --redis.pool-size="0"
                                                    --rights.ttl="2m0s"
                                                    --sentry.dsn=""
                                         --tls.acme.default-host=""
                                                  --tls.acme.dir=""
                                                --tls.acme.email=""
                                               --tls.acme.enable="false"
                                             --tls.acme.endpoint="https://acme-v02.api.letsencrypt.org/directory"
                                                --tls.acme.hosts=""
                                               --tls.certificate="/run/secrets/cert.pem"
                                      --tls.insecure-skip-verify="false"
                                                       --tls.key="/run/secrets/key.pem"
                                              --tls.key-vault.id=""
                                                   --tls.root-ca="/run/secrets/cert.pem"
                                                    --tls.source="file"

Hi @bq1,

I edited your posts to improve the formatting of the code blocks.

You can use environment variables or config files. See the documentation for details: Configuration | The Things Stack for LoRaWAN

This is likely also what’s causing the issue in the OAuth token exchange. The token exchange validates that the redirect URI parameter of the exchange request matches the redirect URI parameter of the authorize request. If your deployment is misconfigured that might not be the case.

Thank you htdvisser,
Using server and browser on the same machine, it works with localhost !
image

But when I use a browser from another machine, it does not works !!!

I have tried to modify some TTN_LW_xxx constants in docker-compose.yml but it does not work !
I have this error “Token exchange refused”

  TTN_LW_CONSOLE_OAUTH_AUTHORIZE_URL: /oauth/authorize
  TTN_LW_CONSOLE_OAUTH_TOKEN_URL: /oauth/token
  TTN_LW_CONSOLE_UI_CANONICAL_URL: /console

Might be duplicate of https://github.com/TheThingsNetwork/lorawan-stack/issues/2353, please subscribe there

This topic was automatically closed after 30 days. New replies are no longer allowed.