OIDC extension: OAuth2 client authentication error

Henri Mikkonen henri.mikkonen at csc.fi
Fri May 31 01:50:06 EDT 2019 

Hi Keith,

> On 24 May 2019, at 22.59, Wessel, Keith <kwessel at illinois.edu> wrote:
> 
> All,
> 
> We've got a developer trying to authenticate and get user info from our IdP that's running the current version of the OIDC extension. The developer couldn't find a good OIDC library for their platform, so they're using an OAuth2 library instead. My testing with OIDC libraries is working fine, and I'm still trying to understand the differences.
> 
> They're able to send the authentication request successfully, but when they try to hit the token endpoint (/idp/profile/oidc/token), we get a client authentication error:
> 2019-05-24 11:56:04,061 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:206] [session=1tlg7dugf7lhp19eb4wanhtego] [ip=141.142.60.176] - Profile Action ValidateEndpointAuthentication: Unrecognized client authentication null for client_secret_basic

The log line above tells that the token endpoint couldn’t find any client authentication from the request.

> That's when they set client_secret_basic to the secret that they provided in the metadata they gave us to register. (I say gave us because they could never get dynamic client registration to work, so we added it to the local oidc-metadata.xml).

You can see the request details if you enable DEBUG-logging for “org.geant.idpextension.oidc.decoding.impl.OIDCTokenRequestDecoder”. If the client has implemented the HTTP-Basic authentication as they should, the Authorization-header should have a value in the following way:

Authorization:[Basic blablabla..]

And then the OIDC plugin’s token endpoint should detect the client authentication as client_secret_basic.

> They also tried just setting client_secret instead of client_secret_basic which resulted in a slightly different error:
> 2019-05-23 14:58:57,503 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:206] [session=ihsr3bkhshhcy6dy9p4dvg4] [ip=141.142.60.176] - Profile Action ValidateEndpointAuthentication: Unrecognized client authentication com.nimbusds.oauth2.sdk.auth.ClientSecretPost at 356cc6cc for client_secret_basic

This time the token endpoint has detected the client authentication method from the request to be client_secret_post. However, your OIDC RP metadata probably doesn’t have any value configured for the ‘token_endpoint_auth_method’. When that’s the case, the default value ‘client_secret_basic’ is used.

So, adding the following to the client’s JSON-configuration (by default /opt/shibboleth-idp/metadata/oidc_client.json) should fix that issue:

...
“token_endpoint_auth_method”:”client_secret_post”
…

BR,
Henri.

More information about the users mailing list