Error connecting to AAA STS for RDP access - username correct but suspecting URL migration from TR to Refinitiv is the cause

Question

question

Nick.Straatsma

1 ●0 ●0 ●1

Error connecting to AAA STS for RDP access - username correct but suspecting URL migration from TR to Refinitiv is the cause

Hi

We are integrating with AAA retrieving the STS token for access to RDP streaming pricing. Until recently we have been successfully authenticating from the existing Thomson Reuters URL https://sts.login.cp.thomsonreuters.net/

Two weeks ago we tried to connect a new users on production with AAA. However when they use the above URL they get an error

2021-08-05 13:12:17.970 DEBUG SerializableWebMessageBase: {"BaseUri":https://sts.login.cp.thomsonreuters.net/,"ClientId":"*******","ClientSecret":"*****","RequestID":"1","HttpStatus":200,"UseJsonSerialization":true} Subject: SerializableAAAClient

2021-08-05 13:12:20.681 DEBUG {"error": "access_denied", "error_description": "Invalid username or password."}

We have tested the same credentials on:

- User's Eikon login = successful

- RDP playground = successful

We think this maybe due to the migration in domains. Is that correct? Could there be another cause for the failure to login and receive the STS token?

If the issue is the Domain, could someone confirm the correct URL is identity.ciam.refinitiv.net and when was this change expected to be made?

Thank you,

Nick

rdp-api refinitiv-data-platform

Aug 09, 2021 at 07:29 PM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Answer 1 · 2021-08-09T19:40:30Z

Gurpreet

13k ●32 ●12 ●18

Hi @Nick.Straatsma ,

The OAuth token URL has been: https://api.refinitiv.com:443/auth/oauth2/v1/token for a long time now. Can you try this endpoint.

Aug 09, 2021 at 07:40 PM

10 |1500

Attachments: Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Nick.Straatsma Aug 11, 2021 at 03:04 PM

Hi @Gurpreet

Thanks very much for the answer. This helped and we also discovered that some of the problem was our TLS version and using JSON instead of URL encoded message body. Here is summary and open questions.

Doing this fixed/enabled us to connect:

https://sts.login.cp.thomsonreuters.net/
1. Resource Owner Password Credential = Successful
2. PKCE = successful
https://sts.identity.ciam.refinitiv.net
1. Resource Owner Password Credential = Successful
2. PKCE = failing
https://api.refinitiv.com:443/auth/oauth2/v1/token
1. Resource Owner Password Credential = Successful
2. PKCE = failing

Questions

Is there documentation for the URL migrations and supported connection types?
Do you expect PKCE to work on the new URLs? Attached is a code snippet. We don't get especially verbose responses on failure.

1628694184272.png (501.2 KiB)

Gurpreet Nick.Straatsma Aug 11, 2021 at 03:36 PM

Hi @Nick.Straatsma ,

I would recommend that you directly get in touch with STS gateway team to get details for which endpoints will support PKCE.

Q&A Forum

question

Error connecting to AAA STS for RDP access - username correct but suspecting URL migration from TR to Refinitiv is the cause

1 Answer

question

Error connecting to AAA STS for RDP access - username correct but suspecting URL migration from TR to Refinitiv is the cause

1 Answer

Related Questions