Hello,

i try to have fun working thru your book Schwartz/Machulak: Securing the Perimeter, Apress 2018.

Up to now i am in Chapter 5 OpenID Connect on page 189 Client Registration

This is how i did setup the client:

OPENID CONNECT CLIENTS DETAILS

• Name: mod_auth_openidc
• Client ID: 0cc96639-c9d8-4bc9-b30c-7ca58d6788c9
• Subject Type: public
• ClientSecret: XXXXXXXXXXX
• Application Type: web
• Persist Client Authorizations: true
• Pre-Authorization: true
• Authentication method for the Token Endpoint: client_secret_basic
• Logout Session Required: false
• Include Claims In Id Token: false
• Disabled: false
• Login Redirect URIs: [https://squid.fritz.box/login-callback.html]
• Scopes: [profile, openid, email]
• Response types: [code]

Configuring the Apache VirtualHost, the VirtualHost section has that content.

When i call the printHeaders-Example, it does not redirect to a authentication page.

Instead it shows the page

https://gluub18.fritz.box/oxauth/restv1/authorize?response_type=code&scope=openid profile email&client_id=0cc96639-c9d8-4bc9-b30c-7ca58d6788c9&state=[-snip-]

with the error

unsupported_response_type

The complete text is here

Hey, i did set the Response_Type code at both sides: at the clients response types and at the apache-variable OIDCResponseType

The clients apache2 error.log stays empty.

oxauth.log gives a HTTP 400 Bad Request - see http400

Is there any typo in the configs which leads to this error message? I think i implemented the books description correctly.

Any hint is very much appreciated,

Johann