end_session : invalid_grant The provided access token is invalid, or was issued to another client

By: SENTHILKUMAR DHANAPAL user 25 Jul 2018 at 1:09 p.m. CDT

12 Responses
SENTHILKUMAR DHANAPAL gravatar
Hi, I am using glu 3.1.2 and end_session return 400 _oxauth/restv1/end_session_ return 400 bad request and in response it shows below. {"error":"invalid_grant_and_session","error_description":"The provided access token and session state are invalid or were issued to another client."} I am sure I am missing something in config. Could you please help ?
Rhel 7.2
closed

Answers

By Michael Schwartz Account Admin 25 Jul 2018 at 1:35 p.m. CDT

Copy
Michael Schwartz gravatar
Could you provide the a pdf of your client config form, as well as the exact request sent.

By SENTHILKUMAR DHANAPAL user 26 Jul 2018 at 9:31 a.m. CDT

Copy
SENTHILKUMAR DHANAPAL gravatar
I am not able to attach the PDF here . hence providing the values from openid client ``` _**request :**_ https://mydomain.com/oxauth/restv1/end_session _**response :**_ 400 bad request _**client : Inum: @!F3F0.D134.84D5.6546!0001!743F.5C7C!0008!7216.F683.3283.66F0 Client Name:* member Application Type:* Web Pre-Authorization:* False Persist Client Authorizations:* True Subject Type:* pairwise Authentication method for the Token Endpoint: client_secret_post Redirect Login URIs: https://mydomain.com/member Post Logout Redirect URIs: https://mydomain.com/member Scopes: openid Response Types: id_token token Grant Types: implicit password Request URIs: https://mydomain.com/member Logout Session Required:* True Include Claims In Id Token:* false ```

By Thomas Gasmyr Mougang staff 26 Jul 2018 at 9:51 a.m. CDT

Copy
Thomas Gasmyr Mougang gravatar
You can use google drive or some similar service.

By SENTHILKUMAR DHANAPAL user 26 Jul 2018 at 10:50 a.m. CDT

Copy
SENTHILKUMAR DHANAPAL gravatar
you still a pdf format ? I have provided all the information from client

By Michael Schwartz Account Admin 26 Jul 2018 at 10:58 a.m. CDT

Copy
Michael Schwartz gravatar
No pdf is needed. That looks good. Is it a Web client? If so, why are you using the implicit grant? It should be a Native client (i.e. public) if you're using a javascript client side browser application. I don't think this is breaking it. Also, if it's a javascript client, wouldn't the redirect be to localhost? That's also a little weird. Also, this is not breaking it, but you should remove the password grant. You don't need that. I'm re-assigning to Alex, becuase he is working a similar issue.

By SENTHILKUMAR DHANAPAL user 26 Jul 2018 at 11:08 a.m. CDT

Copy
SENTHILKUMAR DHANAPAL gravatar
https://b24-0mgstt.bitrix24.com/~3J4oR I have angular application and it is web client. I have basic question : how this call being triggered automatically ? when it gets called end_session need to go with any query param ?

By Aliaksandr Samuseu staff 26 Jul 2018 at 12:45 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, SENTHILKUMAR. How exactly do you send that request to `/end_session`? Please note you must include `session_id` in it, either via cookies, or in url query string's parameter with the same name. So, for example, if your request is sent by a backend service (we had such case reported recently), it may not be in possesion of this id and such request will fail. If you don't include `session_id` in query string, please make sure that at least you include all cookies issued by oxAuth for the session in question.

By Aliaksandr Samuseu staff 26 Jul 2018 at 12:47 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
One correction: for url query approach the parameter must be called `sid`

By SENTHILKUMAR DHANAPAL user 26 Jul 2018 at 1:47 p.m. CDT

Copy
SENTHILKUMAR DHANAPAL gravatar
thats what i guessed but I am not calling this URL at all at anytime. I kept this part of OIDC settings . and I think it getting called due to inactivity of the member in web. Please correct if I am going in wrong way

By Aliaksandr Samuseu staff 26 Jul 2018 at 1:57 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Sorry, could you elaborate? In your first post you wrote: ``` Hi, I am using glu 3.1.2 and end_session return 400 _oxauth/restv1/endsession return 400 bad request and in response it shows below. {"error":"invalid_grant_and_session","error_description":"The provided access token and session state are invalid or were issued to another client."} ``` If you don't send any requests to it, under what circumstances your are getting this error? Please provide detailed steps how to reproduce the issue.

By SENTHILKUMAR DHANAPAL user 26 Jul 2018 at 2:04 p.m. CDT

Copy
SENTHILKUMAR DHANAPAL gravatar
this is getting called after inactivity of 1 minute. I dont have any configuration in client as well. glu 3.1.2

By Aliaksandr Samuseu staff 26 Jul 2018 at 2:12 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
If it's just one minute of inactivity, please provide a video capture which shows how it happens, that probably will be the easiest way to understand the situation.

Post an answer