"invalid_scope" thrown by Android Device Setup SDK


#1

Hi, long-time listener, first-time caller. I’ve searched here and Google extensively, combed the docs, but I’m at a loss. Surely I’m missing something simple here.

To start with, I’m creating my Android app by modifying photon-tinker-android. I’ve created the product in the Particle console, created simple auth credentials within the product, added these to the app as well as set the productMode and product_id resources in the app.

After calling startDeviceSetup from the (initialised) Device Setup Library, I’m able to log in fine but when pressing the “READY” button on the “Time to set up your…” screen I’m getting the following ParticleCloudException error shown in a pop-up:

Error
Could not communicate with Photon cloud. Make sure your Android device is connected to the internet and retry.
retrofit.RetrofitError: 400

This is both on an emulator (which I think doesn’t work with the setup SDK?) and actual phone.

Looking at the HTTP logs, the log in and token creation seems to be fine, but the call to /v1/products/6621/device_claims is failing with: "error":"invalid_scope","error_description":"Permission denied"

HTTP logs:

D/Retrofit: ---> HTTP POST https://api.particle.io/oauth/token
            Authorization: Basic #####
            Content-Type: application/x-www-form-urlencoded; charset=UTF-8
            Content-Length: 74
D/Retrofit: grant_type=password&username=#####&password=#####
D/Retrofit: ---> END HTTP (74-byte body)
D/Retrofit: <--- HTTP 403 https://api.particle.io/oauth/token (2621ms)
            date: Tue, 09 Oct 2018 13:11:33 GMT
            content-type: application/json; charset=utf-8
            content-length: 134
            server: nginx
            x-request-id: 96ec08ec-4311-4cf7-ba12-7cf4a1047cf3
D/Retrofit: access-control-allow-origin: *
            cache-control: no-store
            pragma: no-cache
            OkHttp-Sent-Millis: 1539090693094
            OkHttp-Received-Millis: 1539090693607
D/Retrofit: {"mfa_token":"#####","error":"mfa_required","error_description":"Multi-factor authentication required"}
D/Retrofit: <--- END HTTP (134-byte body)
D/Retrofit: ---> HTTP POST https://api.particle.io/oauth/token
            Authorization: Basic #####
            Content-Type: application/x-www-form-urlencoded; charset=UTF-8
            Content-Length: 91
D/Retrofit: grant_type=urn%3Acustom%3Amfa-otp&mfa_token=#####
D/Retrofit: ---> END HTTP (91-byte body)
D/Retrofit: <--- HTTP 200 https://api.particle.io/oauth/token (523ms)
D/Retrofit: date: Tue, 09 Oct 2018 13:11:52 GMT
            content-type: application/json; charset=utf-8
            content-length: 161
            server: nginx
            x-request-id: 165f9206-587f-4952-a97a-20aca49f7f92
            access-control-allow-origin: *
            cache-control: no-store
            pragma: no-cache
            x-content-type-options: nosniff
            OkHttp-Sent-Millis: 1539090711785
            OkHttp-Received-Millis: 1539090712304
D/Retrofit: {"token_type":"bearer","access_token":"7ee...dd3","expires_in":7776000,"refresh_token":"552...2e9"}
D/Retrofit: <--- END HTTP (161-byte body)

D/Retrofit: ---> HTTP GET https://api.particle.io/v1/devices
            Authorization: Bearer 7ee...dd3
            ---> END HTTP (no body)
D/Retrofit: <--- HTTP 400 https://api.particle.io/v1/devices (343ms)
            date: Tue, 09 Oct 2018 13:11:53 GMT
            content-type: application/json; charset=utf-8
            content-length: 65
            server: nginx
            x-request-id: e2d376be-c390-4a92-8b5e-174195f40709
            access-control-allow-origin: *
            cache-control: no-store
            pragma: no-cache
            OkHttp-Sent-Millis: 1539090712578
            OkHttp-Received-Millis: 1539090712919
D/Retrofit: {"error":"invalid_scope","error_description":"Permission denied"}
            <--- END HTTP (65-byte body)

D/Retrofit: ---> HTTP POST https://api.particle.io/v1/products/6621/device_claims
            Authorization: Bearer 7ee...dd3
            Content-Type: application/x-www-form-urlencoded; charset=UTF-8
            Content-Length: 24
D/Retrofit: blank=okhttp_appeasement
            ---> END HTTP (24-byte body)
D/Retrofit: <--- HTTP 400 https://api.particle.io/v1/products/6621/device_claims (528ms)
D/Retrofit: date: Tue, 09 Oct 2018 13:11:59 GMT
            content-type: application/json; charset=utf-8
            content-length: 65
            server: nginx
            x-request-id: 71997215-35f8-4b98-b88d-e381280a73b6
            access-control-allow-origin: *
            cache-control: no-store
            pragma: no-cache
            OkHttp-Sent-Millis: 1539090718848
            OkHttp-Received-Millis: 1539090719370
D/Retrofit: {"error":"invalid_scope","error_description":"Permission denied"}
D/Retrofit: <--- END HTTP (65-byte body)

The actual Tinker app works fine.

Matt


#2

You’re using simple auth with a product, correct? Make sure you’re setting all of the appropriate values in your resource file. You can put them in strings.xml, but I usually make a separate file for the product settings:

In app > res > values > customization.xml, create a new file and add the following:

<?xml version="1.0" encoding="utf-8"?>
<resources>
    <bool name="productMode">true</bool>
    <integer name="product_id">1319</integer>
    <string name="oauth_client_id">tempmon04-4338</string>
    <string name="oauth_client_secret">460edfd8d70742dd1f1e75c3d5cac5973351465d</string>
    <string name="http_log_level">HEADERS_AND_ARGS</string>
</resources>
  • Make sure you’ve added the device ID to your product before you try to claim it.

  • Make sure you create a new account that is not a regular developer account or team member.


#3

Ah, I’d done all of those except the last point. Thanks @rickkas7! I wasn’t aware of the developer vs normal account difference.