OIDC extension: OAuth2 client authentication error

Wessel, Keith kwessel at illinois.edu
Fri May 31 10:43:29 EDT 2019 

Thanks, Henry. I should have circled back on this earlier in the week. The problem was, in fact, that they weren't including the HTTP authentication header to do HTTP basic auth. They added this, and it fixed the problem. Those for the post endpoint information, though. That could come in handy in the future.

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Henri Mikkonen
Sent: Friday, May 31, 2019 12:50 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: OIDC extension: OAuth2 client authentication error

Hi Keith,

> On 24 May 2019, at 22.59, Wessel, Keith <kwessel at illinois.edu> wrote:
> 
> All,
> 
> We've got a developer trying to authenticate and get user info from our IdP that's running the current version of the OIDC extension. The developer couldn't find a good OIDC library for their platform, so they're using an OAuth2 library instead. My testing with OIDC libraries is working fine, and I'm still trying to understand the differences.
> 
> They're able to send the authentication request successfully, but when they try to hit the token endpoint (/idp/profile/oidc/token), we get a client authentication error:
> 2019-05-24 11:56:04,061 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:206] [session=1tlg7dugf7lhp19eb4wanhtego] [ip=141.142.60.176] - Profile Action ValidateEndpointAuthentication: Unrecognized client authentication null for client_secret_basic

The log line above tells that the token endpoint couldn’t find any client authentication from the request.

> That's when they set client_secret_basic to the secret that they provided in the metadata they gave us to register. (I say gave us because they could never get dynamic client registration to work, so we added it to the local oidc-metadata.xml).

You can see the request details if you enable DEBUG-logging for “org.geant.idpextension.oidc.decoding.impl.OIDCTokenRequestDecoder”. If the client has implemented the HTTP-Basic authentication as they should, the Authorization-header should have a value in the following way:

Authorization:[Basic blablabla..]

And then the OIDC plugin’s token endpoint should detect the client authentication as client_secret_basic.

> They also tried just setting client_secret instead of client_secret_basic which resulted in a slightly different error:
> 2019-05-23 14:58:57,503 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:206] [session=ihsr3bkhshhcy6dy9p4dvg4] [ip=141.142.60.176] - Profile Action ValidateEndpointAuthentication: Unrecognized client authentication com.nimbusds.oauth2.sdk.auth.ClientSecretPost at 356cc6cc for client_secret_basic

This time the token endpoint has detected the client authentication method from the request to be client_secret_post. However, your OIDC RP metadata probably doesn’t have any value configured for the ‘token_endpoint_auth_method’. When that’s the case, the default value ‘client_secret_basic’ is used.

So, adding the following to the client’s JSON-configuration (by default /opt/shibboleth-idp/metadata/oidc_client.json) should fix that issue:

...
“token_endpoint_auth_method”:”client_secret_post”
…

BR,
Henri.
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list