Troubleshooting

Enhanced Advanced

Below are some common errors which may occur when an OAuth login flow fails, the conditions that may cause those errors, and possible solutions.

General

The following error conditions are generally applicable across different OAuth integration types or are emitted by the Connect Server API.

• OAuth integration <guid> does not support <type> auth flows where <type> is one of Service Account, Viewer, or Visitor API Key (Connect API).

  • Cause: The content is associated with an integration which does not support the requested auth type.

  • Solution: Confirm that the content is associated with the correct integration. If the error persists then you may need to modify the content code to use the correct type of credential request. For a detailed explanation of the different request types, see the Credential exchange section of the admin guide.

    • For Service Account credential request usage instructions, see Obtaining a Service Account OAuth access token.
    • For Viewer credential request usage instructions, see Obtaining a Viewer OAuth access token.
    • For Visitor API Key (Connect API) credential request usage instructions, see Obtaining a Visitor API Key.

• Invalid requested_token_type. Expected 'urn:posit:connect:api-key'

  • Cause: The content is associated with a Visitor API Key (Connect API) integration but a request was made for the wrong type of credential.

  • Solution: Modify the content code to request an urn:posit:connect:api-key credential. See the Obtaining a Visitor API Key or the Credential exchange sections for additional details.

• No refresh token found in response. Refresh tokens are required to update access tokens when they expire. Are you missing the offline_access scope in the OAuth integration configuration?

  • Cause: Connect did not receive a refresh token in the response from the external OAuth application during the OAuth login.

  • Solution: Ensure that both your Connect OAuth integration’s scopes are configured to request refresh tokens. This is often represented by the offline_access scope. Note that Snowflake uses the refresh_token scope to represent offline access. \ If configuring a custom OAuth integration with GitHub, you need to configure a GitHub App rather than an OAuth app. GitHub OAuth apps do not return refresh tokens.

• Connect API Error 215: Invalid subject_token

  • Cause: Connect rejected the subject_token when the content attempted to exchange it for an OAuth access token. There are multiple root causes that can produce this error, but a common scenario is that the subject_token expired.

  • Solution: The simplest fix is to use a recent version of the Posit SDKs for Python or R. They fetch a fresh subject_token for each credential exchange, which avoids stale-token bugs.

    If you cannot use an SDK, the right way to read the token depends on how your content runs:

    • Long-running content (interactive apps or APIs that stay alive across requests, either through continual activity or because Min processes is set to 1 or more): read the token from the file referenced by CONNECT_CONTENT_SESSION_TOKEN_FILE on every credential exchange. Do not cache the value in a global that only runs at startup, and do not read the CONNECT_CONTENT_SESSION_TOKEN environment variable (Connect sets it only once at process start). Connect refreshes the file at the interval set by Applications.ContentSessionTokenRefreshInterval (default: 12 hours).
    • Viewer integrations (interactive content where your app fetches the credential within the viewer’s session context): the subject_token is tied to the viewer’s connection. If it goes stale (for example, if the viewer left a browser tab open for a long time), refreshing the browser works because it triggers a new connection, and your app fetches a new token within that connection’s context.

    For more information on what constitutes a valid subject_token and the various scenarios that may lead to subject_token rejection, see the Credential Exchange section of the OAuth Integrations Security document.

• Connect API Error 219: Refresh token is invalid

  • Cause: The application viewer’s OAuth refresh token may have expired.

  • Solution: Log out and log in to the OAuth integration through the Access tab in the Content Settings pane. See the OAuth integrations section of the User Guide for additional details. Alternatively, you can manage OAuth sessions through the Connect API.

• ClientError: No OAuth integrations have been associated with this content item.

  • Cause: The publisher has not associated an Oauth integration with their deployed content.

  • Solution: Associate an OAuth Integration with deployed content. This can be done on the Access tab of the Content Settings pane of the dashboard. For more information, see the Adding OAuth Integrations to Deployed Content section of the User guide.

• ClientError: No OAuth session found. Log in to the OAuth Integration before requesting credentials.

  • Cause: The viewer has not logged into the external OAuth application, so Connect does not have access to their OAuth credentials.

  • Solution: The user needs to login to the external OAuth application. When viewing content through the dashboard, they should see a pop-up modal directing them to login or see a login button in the Access tab of the Content Settings pane. Alternatively, if they are accessing the content in Open Solo mode, they are automatically redirected to the OAuth login flow.

• The config key client_secret must not be provided

  • Cause: This error can occur if a Confidential integration is modified to be Public, but the client secret is not removed from the integration.

  • Solution: Use the Connect Server API to set the public integration’s client_secret to null.

Azure (Microsoft Entra ID)

The following error conditions are specific to Azure OAuth integrations.

• BadRequest: io.jsonwebtoken.security.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.

  • Cause: This error can occur for viewers if the integration is configured with incorrect scopes.

  • Solution: Update the integration to use the correct scopes. For more information on common scopes needed for Azure OAuth applications, see the Add API permissions section of the Azure OAuth Integrations guide.

• AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app <app_guid>.

  • Cause: This error can occur when a viewer attempts to login to the OAuth application if the integration’s client secret is misconfigured.

  • Solution: Update the integration with the correct client secret. This may require coordination with the OAuth application administrator. See the OAuth integration creation section of the Azure OAuth integrations guide for more details.

• AADSTS500113: No reply address is registered for the application.

  • Cause: The external OAuth application does not have a redirect URI configured.

  • Solution: Update the external OAuth application with a valid redirect URI. This may require coordination with the OAuth application administrator. See the OAuth application registration section of the Azure OAuth integrations guide for more details.

• AADSTS50011: The redirect URI '<connect_server>/__oauth__/integrations/callback' specified in the request does not match the redirect URIs configured for the application <application_guid>. Make sure the redirect URI sent in the request matches one added to your application in the Azure portal. Navigate to https://aka.ms/redirectUriMismatchError to learn more about how to fix this.

  • Cause: The external OAuth application does not have a valid redirect URI configured.

  • Solution: Update the external OAuth application with a valid redirect URI. This may require coordination with the OAuth application administrator. See the OAuth application registration section of the Azure OAuth integrations guide for more details.

• AADSTS7000222: The provided client secret keys for app '<app_guid>' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.

  • Cause: This error can occur when Connect attempts to refresh a viewer’s OAuth access token if the integration’s client secret is expired.

  • Solution: Update the integration with the correct client secret. This may require coordination with the OAuth application administrator. See the OAuth integration creation section of the Azure OAuth integrations guide for more details.

Azure (OpenAI)

https://docs.posit.co/rspm/admin/serving-binaries.html#using-linux-binary-packages Not all Azure services require additional role assignments, but resource-intensive or restricted services like Azure OpenAI implement an additional layer of role-based access control.

Viewer integration

Individual users must also be assigned the “Cognitive Services OpenAI User” role by an Azure administrator.

Service account integration

The registered application itself must also be assigned the “Cognitive Services OpenAI User” role by an Azure administrator

The following error conditions are specific to Azure OpenAI OAuth integrations.

• The principal <viewer> lacks the required data action Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action to perform POST /openai/deployments/{deployment-id}/chat/completions operation

  • Cause: In the context of a viewer OAuth integration, a particular viewer has not been assigned the Cognitive Services OpenAI User role by an Azure administrator.

  • Solution: An Azure administrator must assign the Cognitive Services OpenAI User role to the viewer.

• The principal <app_guid> lacks the required data action Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action to perform POST /openai/deployments/{deployment-id}/chat/completions operation

  • Cause: In the context of a service account OAuth integration, the application guid has not been assigned the Cognitive Services OpenAI User role by an Azure administrator.

  • Solution: An Azure administrator must assign the Cognitive Services OpenAI User role to the application.

Snowflake

The following error conditions are specific to Snowflake OAuth integrations.

• Error occurred in authorization: There is a mismatch in the given redirect uri with the one in the registered OAuth client integration.

  • Cause: The external OAuth application does not have a valid redirect URI configured.

  • Solution: Update the external OAuth application with a valid redirect URI. This may require coordination with the OAuth application administrator. See the OAuth application registration section of the Snowflake OAuth integrations guide for more details.

• ProgrammingError: 251001: Account must be specified

  • Cause: The Snowflake Python Connector requires the Snowflake account name to be configured. The Snowflake account name should be passed into the connect function when the connection is initialized:

      con = snowflake.connector.connect(
          account="<account_name>",
          ...
      )

Certain Snowflake roles are blocked from logging in via OAuth integrations by default. See the Snowflake documentation for more details on which roles are included in their BLOCKED_ROLES_LIST. If you attempt to test the OAuth Integration within Connect using a Snowflake user with that role they will receive "Invalid consent request." as a response and be unable to log in.

If Publishers experience problems connecting to Snowflake while using the Snowflake OAuth Integration they may want to check that the account name passed to the Snowflake client conforms to the expected format. For example, while Snowflake uses _ when creating and querying account names some clients expect - instead, similar to the format used when navigating to their Snowflake console (e.g. my_account versus my-account).

Vertex AI

Billing must also be enabled for the project in order for the Vertex AI API to be used, as this service incurs charges based on usage. For more information on managing the billing status of a project visit the Google Cloud Billing Guide

Custom (Keycloak)

The following error conditions have been observed for Custom OAuth integrations which target an OAuth application configured in Keycloak.

• unauthorized_client: Invalid client or Invalid client credentials

  • Cause: This error can occur when a viewer attempts to login to the external OAuth application if the integration’s client secret is misconfigured.

  • Solution: Update the integration with the correct client secret. This may require coordination with the OAuth application administrator. See the OAuth integration creation section of the Custom OAuth integrations guide for more details.

• 400 Bad Request: Invalid client or Invalid client credentials

  • Cause: This error can occur when Connect attempts to refresh a viewer’s OAuth access token if the integration’s client secret is misconfigured.

  • Solution: Update the integration with the correct client secret. This may require coordination with the OAuth application administrator. See the OAuth integration creation section of the Custom OAuth integrations guide for more details.