Oauth 2.0 Connection

Hi,

I am in the process of trying to connect my Bank to Foundry.

1 - What I have done so far is set up my Outbound Application. In here I have provided the OAuth 2.0 Server connection details which is the base Monzo URL (https://auth.monzo.com) and the Token Endpoint URL (https://api.monzo.com/oauth2/token), and provided an egress policy to allow them to connect to Monzo.

I have then configured my OAuth 2.0 Connection details, this includes my Client_ID and Client_Secret i got from Monzo Developer Portal I set up. And I included a Scope which is:
‘third_party_developer_app.pre_verification’ (speak about this later).

3 - I then have set up a REST API data source to connect to Monzo Base URL, and set up Authorisation using my Outbound Application.

4 - I then created a webhook for the URL ‘https://api.monzo.com/accounts’. And my output is just the whole response as a string. And no input parameters are needed for this.

What I believe to be happening is, the OAuth sends a request to Monzo for an Authorisation Code, which is returns. It then uses that code with the Token URL to retrieve a token. This token is then used in my webhook.

Thus when my webhook is called, it retrives this token and then sends it to Monzo alongside my GET Request. In essence the outbound application Foundry created is doing the token/code handshake for me, meaning I don’t have manually do all this myself.

The issue I have is when I run it, I run it once and authenticate. And then I rerun it like i am told but i retireive this error:

“Access forbidden due to insufficient permissions”

I believe this is due to the scoping Issue, As in the scoping I need to have not just have the Pre_Verification scope but also the ‘accounts:read’ scope. This is important to give me permissions to do this.

So I change my Scope in my outbound application to the below:

BEFORE: ‘third_party_developer_app.pre_verification’
AFTER: '‘third_party_developer_app.pre_verification, accounts:read’

I then save and reset it and retry authentication however I retrieve this error in the picture:

Thus it is only granting me one thing, even though in my authentication outbound request i am asking for multiple. I’m not sure if my logic is wrong along the way causing me to miss something. For example in the Docs it mentions creating 2 webhooks to do the handshake, but I’m confident I don’t need to do that and can just use my authentication I set up. The only issue being the scoping which I can’t seem to fix.

Please let me know if you have any suggestions

Kind Regards
Sam

1 Like

There should be a setting in the outbound application configuration to ignore the returned scopes. Did you try that?
The oauth2 spec is not strict on this, we ran into this issue while connecting from Foundry to Foundry and Multipass also does not return all scopes in the token call.

EDIT: Nevermind, I checked and this relaxed flag does not exist in the outbound applications settings.

Ye, I can’t leave the scope empty either.

Any other suggestions?

Hi,

I have recently moved away to using a different provider to get my data. However I am now facing a different issue.

I have correctly set up my outbound application, so it would redirect the user to the authorisation url. Foundry will then do the token dance, to get an access token, which I can use downstream to call certain requests. I have done this locally. The issue is when I test my webhook which is an Accounts API, it correctly asks me to authorise. I do this, and then it should do the token dance and return an access token to then use for the Accounts request. however Instead i get this error. I am not sure how to fix it

r

Due to this I tried to do this token dance myself in function. I locally did the authorisation code and tried to use this input and get the access token. However I ran into an error. I believe these errors are similar and have the same underlying issue, but I am not sure what it is as i can get it working locally just no in Foundry.

@Function()
    public async handleOAuthCallback(): Promise<string> {
        // After the user authorizes and is redirected back to the Foundry callback URL, the 'code' parameter is passed here
        const tokenUrl = "https://auth.truelayer.com/oauth/token"; // The token exchange URL
        const clientId = "foundrybanking-7ef81d";
        const clientSecret = redacted;
        const redirectUri = "https://[REDACTED Foundry URL]/workspace/oauth2-clients/callback";
        const code = "REDACTED"
        const body = new URLSearchParams({
            code: code,
            client_id: clientId,
            client_secret: clientSecret,
            redirect_uri: redirectUri,
            grant_type: "authorization_code",
        });

        const response = await fetch(tokenUrl, {
            method: "POST",
            body,
            headers: {
                "Content-Type": "application/x-www-form-urlencoded",
            },
        });

        const responseData = await response.json();

        if (responseData.access_token) {
            console.log("Access token received:", responseData.access_token);
            // You can now use this token to make authorized API calls to TrueLayer.
        } else {
            console.log("Failed to get access token:", responseData);
        }

        return "hey"
    }

And the Error message is:

{
 "errorCode": "INTERNAL",
 "errorInstanceId": "986a924d-1b0a-48d3-aa87-c82b6bfd385b",
 "errorName": "FunctionExecution:ExecutionSystemException",
 "parameters": {
  "message": "Proxy token not provided to source connections.",
  "stacktrace": "SafeError: Proxy token not provided to source connections.\n{Redacted stacktrace: see unsafe logs}",
  "parameters": "{\"throwable0_stacktrace\":\"SafeError: Proxy token not provided to source connections.\\n    at SafeIllegalStateError.SafeError [as constructor] (/scratch/asset-install/1117394b42c465d035cde26f008c0cac/node_modules/@foundry/witchcraft-logging-api/dist/args/safeError.js:21:28)\\n    at new SafeIllegalStateError (/scratch/asset-install/1117394b42c465d035cde26f008c0cac/node_modules/@foundry/functions-typescript-errors-api/dist/SafeIllegalStateError.js:13:47)\\n    at SourceAwareProxyFetch.getProxyDetails (/scratch/asset-install/1117394b42c465d035cde26f008c0cac/node_modules/@foundry/functions-typescript-runtime-lib/dist/services/SourceAwareProxyFetch.js:42:19)\\n    at SourceAwareProxyFetch.fetchInternal (/scratch/asset-install/1117394b42c465d035cde26f008c0cac/node_modules/@foundry/functions-typescript-runtime-lib/dist/services/SourceAwareProxyFetch.js:28:49)\\n    at RuntimeAwareFetch.fetchFunctionsRuntime (/scratch/asset-install/1117394b42c465d035cde26f008c0cac/node_modules/@foundry/functions-typescript-runtime-lib/dist/services/RuntimeAwareFetch.js:38:27)\\n    at RuntimeAwareFetch.fetchInternal (/scratch/asset-install/1117394b42c465d035cde26f008c0cac/node_modules/@foundry/functions-typescript-runtime-lib/dist/services/RuntimeAwareFetch.js:26:25)\\n    at /scratch/asset-install/1117394b42c465d035cde26f008c0cac/node_modules/@foundry/functions-typescript-runtime-lib/dist/isolate/Isolate.js:428:24\\n    at /scratch/asset-install/1117394b42c465d035cde26f008c0cac/node_modules/@foundry/witchcraft-logging/dist/trace/Tracer.js:110:29\\n    at /scratch/asset-install/1117394b42c465d035cde26f008c0cac/node_modules/cls-hooked/context.js:118:13\\n    at Namespace.run (/scratch/asset-install/1117394b42c465d035cde26f008c0cac/node_modules/cls-hooked/context.js:97:5)\"}"
 }
}

Please let me know if you have any ideas what the issue is. I know the authorisation is correct. But something is failing so it can’t get the token, or it gets the token but errors after when trying to return to foundry.

Kind Regards
Sam