Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization Code grant returns invalid_client #353

Closed
endymuhardin opened this issue Jul 21, 2021 · 3 comments
Closed

Authorization Code grant returns invalid_client #353

endymuhardin opened this issue Jul 21, 2021 · 3 comments
Assignees
@jgrandja
Labels
status: duplicate A duplicate of another issue

Comments

@endymuhardin
Copy link

endymuhardin commented Jul 21, 2021
edited

Describe the bug
I adopt authserver sample from this repo, and add minor modification (use flyway to setup the database with custom schema for login and permission, oauth tables are created using default schema). Try to obtain access token, but getting 401 with invalid_client message.

To Reproduce

  1. Open authorization URL in browser :
    http://auth-server:9000/oauth2/authorize?client_id=belajar&redirect_uri=http://127.0.0.1:8080/authorized&response_type=code&state=abcd456&scope=message.read

  2. Login with username user001 and password teststaff

  3. Redirected to http://127.0.0.1:8080/authorized?code=CacGUBn4ZRBwE8cqiS0LHFj0Cww6bRNJwNGGpM-4IYpXpbJ6CBIVCKPyYUizFkNMdPLeRZFN2wqZ9XBZfMoqKMX4usLcv1mxgSLseG0ZhqEmMCMU5J1KN_ZrLPKGBjfC&state=abcd456

  4. Copy CacGUBn4ZRBwE8cqiS0LHFj0Cww6bRNJwNGGpM-4IYpXpbJ6CBIVCKPyYUizFkNMdPLeRZFN2wqZ9XBZfMoqKMX4usLcv1mxgSLseG0ZhqEmMCMU5J1KN_ZrLPKGBjfC to Postman

  5. Set the following in Postman

    • Request Method : POST
    • Basic Auth : username messaging-client password secret
    • Form Body : x-www-form-urlencoded
    • Param grant_type : authorization_code
    • Param redirect_uri : http://127.0.0.1:8080/authorized
    • Param code : CacGUBn4ZRBwE8cqiS0LHFj0Cww6bRNJwNGGpM-4IYpXpbJ6CBIVCKPyYUizFkNMdPLeRZFN2wqZ9XBZfMoqKMX4usLcv1mxgSLseG0ZhqEmMCMU5J1KN_ZrLPKGBjfC
    • Param client_id : messaging-client (I already try to include and exclude this param, result is still invalid_client)

  6. Hit Send

Notes : 127.0.0.1 auth-server entry in /etc/hosts already added

Expected behavior

I tried the reproduce step above to the sample project and getting access_token successfully.
In my project, I got invalid_client message.

I tried using the sample client app against my project, Firefox said too many redirects.

Tried to alter client authentication method to CLIENT_SECRET_POST and adjust Postman accordingly, still getting invalid_client.

Sample

Sample project is at http://github.com/endymuhardin/belajar-spring-authorization-server

Suggestion

I tried to trace the error to the source code, however there are many code path in OAuth2ClientAuthenticationProvider#authenticate which leads to invalid client. It'll be great if there are description in OAuth2ClientAuthenticationProvider#throwInvalidClient maybe in DEBUG level to ease debugging.
@endymuhardin endymuhardin added the type: bug A general bug label Jul 21, 2021
@bibibiu2017
Copy link
Contributor

Hi, @endymuhardin I was able to pull the sample project and reproduce the issue you are facing. The reason you are getting an invalid client error is cause the provided client can not be successfully authenticated, which could be due to a number of things:

  1. The client requesting authorization belajar does not match the name of the client messaging-client trying to exchange the authorization_code for a token
  2. A PasswordEncoder bean has been provided but the RegisteredClient clientSecret has not been encoded by said encoder
  3. There is a current bug preventing clients with non-deprecated authentication methods CLIENT_SECRET_BASIC and CLIENT_SECRET_POST from being authenticated successfully.

I have created a pull request that modifes the sample provided making it work as expected.

Hope this helps

@endymuhardin
Copy link
Author

Hello @bibibiu2017
I have tested it again by injecting PasswordEncoder and changing client authentication method to BASIC instead of CLIENT_SECRET_BASIC. It is working successfully. Apparently I don't realize that RegisteredClient will use the existing PasswordEncoder when there is one already available. And I am not aware of bug #346 either.

I already merged your PR. Thanks a lot

@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed type: bug A general bug labels Jul 22, 2021
@jgrandja jgrandja self-assigned this Jul 22, 2021
@gaurav794
Copy link

Hi, @endymuhardin I was able to pull the sample project and reproduce the issue you are facing. The reason you are getting an invalid client error is cause the provided client can not be successfully authenticated, which could be due to a number of things:

  1. The client requesting authorization belajar does not match the name of the client messaging-client trying to exchange the authorization_code for a token
  2. A PasswordEncoder bean has been provided but the RegisteredClient clientSecret has not been encoded by said encoder
  3. There is a current bug preventing clients with non-deprecated authentication methods CLIENT_SECRET_BASIC and CLIENT_SECRET_POST from being authenticated successfully.

I have created a pull request that modifes the sample provided making it work as expected.

Hope this helps

I was stuck on the same problem. I was able to fix this by encoding the clientSecret password with the password encoder as mentioned by @bibibiu2017 in the second point. Thanks, man for the hint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@endymuhardin @jgrandja @bibibiu2017 @gaurav794