OIDC extension: OAuth2 client authentication error
janne.lauros at csc.fi
Mon May 27 06:29:42 EDT 2019
My best guess is that the client simply fails to include client authentication information as described in https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication and https://tools.ietf.org/html/rfc6749#section-2.3.1. If you have a look at the token request from the log file you should see if that really is the case.
----- Original Message -----
From: "Keith Wessel" <kwessel at illinois.edu>
To: "users" <users at shibboleth.net>
Sent: Friday, 24 May, 2019 22:59:18
Subject: OIDC extension: OAuth2 client authentication error
We've got a developer trying to authenticate and get user info from our IdP that's running the current version of the OIDC extension. The developer couldn't find a good OIDC library for their platform, so they're using an OAuth2 library instead. My testing with OIDC libraries is working fine, and I'm still trying to understand the differences.
They're able to send the authentication request successfully, but when they try to hit the token endpoint (/idp/profile/oidc/token), we get a client authentication error:
2019-05-24 11:56:04,061 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:206] [session=1tlg7dugf7lhp19eb4wanhtego] [ip=18.104.22.168] - Profile Action ValidateEndpointAuthentication: Unrecognized client authentication null for client_secret_basic
2019-05-24 11:56:04,065 - WARN [org.opensaml.profile.action.impl.LogEvent:105] [session=1tlg7dugf7lhp19eb4wanhtego] [ip=22.214.171.124] - A non-proceed event occurred while processing the request: AccessDenied
That's when they set client_secret_basic to the secret that they provided in the metadata they gave us to register. (I say gave us because they could never get dynamic client registration to work, so we added it to the local oidc-metadata.xml).
They also tried just setting client_secret instead of client_secret_basic which resulted in a slightly different error:
2019-05-23 14:58:57,503 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:206] [session=ihsr3bkhshhcy6dy9p4dvg4] [ip=126.96.36.199] - Profile Action ValidateEndpointAuthentication: Unrecognized client authentication com.nimbusds.oauth2.sdk.auth.ClientSecretPost at 356cc6cc for client_secret_basic
Any suggestions on what the cause might be or how to troubleshoot further?
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users