Authentication Troubleshooting

🚫 Domain Validation Errors (400 Bad Request)

Error Message:

400 Bad Request - Invalid redirect_uri domain

Root Cause:

Your application's domain is not in the Hub's whitelist of allowed SSO domains.

Immediate Fix:

Check URL format: Ensure you're using the correct format:
https://hub.regardingwork.com/api/auth/sso/authorize?redirect_uri=http://YOUR_DOMAIN.regardingwork.com/api/auth/sso/callback
Verify domain: Currently allowed domains:
- premium.regardingwork.com
- game.regardingwork.com
- display.regardingwork.com
- ce.regardingwork.com
- desk.regardingwork.com
- localhost:3000 (development)
Request domain addition: Contact Hub admin to add your domain to the whitelist

Status: This issue has been fixed for desk.regardingwork.com and ce.regardingwork.com

❌ Users Can't Login (401 Unauthorized)

Error Message:

POST https://your-app.com/api/auth/login 401 (Unauthorized)

Root Cause:

Your application is trying to authenticate users against its own local database instead of using Hub's centralized authentication system.

The Problem:

❌ What's Happening

User enters janechen/jane123
Your app sends POST to /api/auth/login
Your app checks its own database
User doesn't exist locally → 401 error

✅ What Should Happen

User clicks "Login with Hub"
Redirect to Hub SSO
Hub authenticates user
Hub returns token to your app

Solution:

Remove local login forms that POST to your own API
Replace with Hub SSO button - see our Standardized Authentication Guide
Auto-create users from Hub data during authentication


                                // Replace this:

                                <form action="/api/auth/login" method="POST">


                                
                                // With this:

                                <button onclick="loginWithHub()" class="btn btn-primary">

                                  Login with RegardingWork Hub

                                </button>

💥 Token Exchange Failed (500 Internal Server Error)

Error Message:

500 Internal Server Error - Token exchange failed
Common with OAuth 2.0 flow (used by ce.regardingwork.com)

Root Cause:

The OAuth 2.0 authorization code to token exchange is failing on the Hub side due to import or configuration issues.

Immediate Solutions:

Option 1: Switch to Simple SSO (Recommended)

Use the simpler SSO flow instead of OAuth 2.0. It's more reliable and easier to implement.

View Simple SSO Guide

Option 2: Debug OAuth 2.0 Flow

Check your OAuth implementation for proper PKCE parameters and code exchange.

View OAuth Guide

Technical Details:

The error occurs during step 3 of OAuth flow:

✅ Authorization request → Works
✅ User login at Hub → Works
❌ Code exchange for token → Fails

Status: This has been fixed on the Hub side. CE should now work with OAuth 2.0.

👥 User Data Mismatch Issues

Common Scenarios:

Users exist in Hub but not in your app's database
Authentication succeeds but user data is missing
Profile information doesn't sync properly

Solutions:

✅ Recommended

Auto-Create Users

Create users automatically during authentication callback


                                                if (!localUser) {

                                                  create from Hub data

                                                }

💡 Alternative

Periodic Sync

Sync users periodically from Hub API


                                                // Cron job

                                                syncUsersFromHub()

❌ Avoid

Separate Databases

Don't maintain completely separate user systems

Leads to sync issues and authentication conflicts

🧪 Test Credentials & Debugging

Test User Credentials:


                                        Username: janechen

                                        Password: jane123

                                        Email: janechen@shadstone.com

                                        Available in: Hub database only

These credentials only work through Hub authentication, not direct app login forms.

Test URLs:

Test SSO Flow Test Token Validation Hub Login Page

🔧 Step-by-Step Debugging Process

1. Identify Authentication Method

Simple SSO

/api/auth/sso/authorize

✅ Working - Fixed for desk.regardingwork.com

OAuth 2.0

/api/oauth/authorize

⚠️ Fixed but complex - Used by ce.regardingwork.com

2. Test Domain Validation


                                curl "https://hub.regardingwork.com/api/auth/sso/authorize?redirect_uri=http://YOUR_DOMAIN.com/callback"

Expected: Redirect to login page (not 400 error)

3. Check User Authentication

Go to Hub Login
Login with janechen / jane123
Verify login works on Hub directly
Test SSO flow with authenticated session

4. Verify Token Handling

Complete authentication flow
Check that your callback receives token parameters
Validate token with Hub's validate endpoint
Create/update user in your database

5. Implementation Checklist

Frontend Changes:

☐ Remove local login forms
☐ Add Hub SSO buttons
☐ Handle authentication redirects
☐ Display proper error messages

Backend Changes:

☐ Create SSO callback handler
☐ Implement token validation
☐ Auto-create users from Hub data
☐ Remove local password authentication

Authentication Troubleshooting Guide

Quick Navigation

🚫 Domain Validation Errors (400 Bad Request)

Error Message:

Root Cause:

Immediate Fix:

💥 Token Exchange Failed (500 Internal Server Error)

Error Message:

Root Cause:

Immediate Solutions:

Option 1: Switch to Simple SSO (Recommended)

Option 2: Debug OAuth 2.0 Flow

Technical Details:

👥 User Data Mismatch Issues

Common Scenarios:

Solutions:

✅ Recommended

Auto-Create Users

💡 Alternative

Periodic Sync

❌ Avoid

Separate Databases

🧪 Test Credentials & Debugging

Test User Credentials:

Test URLs:

🔧 Step-by-Step Debugging Process

1. Identify Authentication Method

Simple SSO

OAuth 2.0

2. Test Domain Validation

3. Check User Authentication

4. Verify Token Handling

5. Implementation Checklist

Frontend Changes:

Backend Changes:

Related Documentation

Implementation Guides:

API Reference:

Status & Support: