Empty client secret failure

By: Maxim Samoussenko user 19 Dec 2018 at 9:13 a.m. CST

4 Responses
Maxim Samoussenko gravatar
As described in documentation for `http://gluu.org/oxauth/restv1/token` endpoint empty client secret is supported >client_secret The client secret. The client MAY omit the parameter if the client secret is an empty string. In fact when I set client secret to an empty string and try to authenticate I get the following error: ``` { "error": "invalid_client", "error_description": "Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client." } ``` The same request with a non-empty secret works as expected. gluu logs: ``` 2018-12-19 12:15:15,090 DEBUG [qtp804611486-14] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!2B8A.FE82.4F52.84B6!0001!23E4.EB75!0008!BD2E.B40E.D457.D759 2018-12-19 12:15:15,090 TRACE [qtp804611486-14] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:91) - Get request to: 'https://auth.deltixlab.com/oxauth/restv1/token' 2018-12-19 12:15:15,090 DEBUG [qtp804611486-14] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:98) - Starting token endpoint authentication 2018-12-19 12:15:15,090 DEBUG [qtp804611486-14] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:114) - Starting POST Auth token endpoint authentication 2018-12-19 12:15:15,090 TRACE [qtp804611486-14] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:292) - isExistUserPassword: false 2018-12-19 12:15:15,091 DEBUG [qtp804611486-14] [org.xdi.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:296) - requireAuth: 'true' 2018-12-19 12:15:15,091 TRACE [qtp804611486-14] [org.xdi.oxauth.service.ClientService] (ClientService.java:199) - Get client from cache by Dn 'inum=@!2B8A.FE82.4F52.84B6!0001!23E4.EB75!0008!BD2E.B40E.D457.D759,ou=clients,o=@!2B8A.FE82.4F52.84B6!0001!23E4.EB75,o=gluu' 2018-12-19 12:15:15,091 DEBUG [qtp804611486-14] [org.xdi.oxauth.service.ClientService] (ClientService.java:141) - Found 1 entries for client id = @!2B8A.FE82.4F52.84B6!0001!23E4.EB75!0008!BD2E.B40E.D457.D759 2018-12-19 12:15:15,091 DEBUG [qtp804611486-14] [org.xdi.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:70) - Looking for the error with id: invalid_client 2018-12-19 12:15:15,091 DEBUG [qtp804611486-14] [org.xdi.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:75) - Found error, id: invalid_client 2018-12-19 12:15:19,779 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-12-19 12:15:19,779 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.ConfigurationEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-12-19 12:15:19,779 DEBUG [oxAuthScheduler_Worker-1] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-12-19 12:15:19,810 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-12-19 12:15:19,810 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.service.cdi.event.LoggerUpdateEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-12-19 12:15:19,810 DEBUG [oxAuthScheduler_Worker-2] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-12-19 12:15:20,196 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:52) - Bound request started 2018-12-19 12:15:20,197 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.TimerJob] (TimerJob.java:34) - Fire timer event [org.xdi.oxauth.service.cdi.event.AuthConfigurationEvent] with qualifiers [@org.xdi.service.cdi.event.Scheduled()] 2018-12-19 12:15:20,197 DEBUG [oxAuthScheduler_Worker-3] [org.xdi.service.timer.RequestJobListener] (RequestJobListener.java:62) - Bound request ended 2018-12-19 12:15:20,197 TRACE [Thread-82168] [org.xdi.oxauth.service.AppInitializer] (AppInitializer.java:267) - Attempting to use ldapEntryManager: org.gluu.site.ldap.OperationsFacade@3d118651 ```
Ubuntu 18.0
closed

Answers

By Aliaksandr Samuseu staff 19 Dec 2018 at 10:02 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Maxim. What kind of client and OIDC flow do you use? According to [the spec](https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest), for confidential client and authz code flow: >A Client makes a Token Request by presenting its Authorization Grant (in the form of an Authorization Code) to the Token Endpoint using the grant_type value authorization_code, as described in Section 4.1.3 of OAuth 2.0 [RFC6749]. If the Client is a Confidential Client, then it **MUST** authenticate to the Token Endpoint using the authentication method registered for its client_id, as described in Section 9.

By Maxim Samoussenko user 20 Dec 2018 at 2:20 a.m. CST

Copy
Maxim Samoussenko gravatar
Hi Aliaksandr, I use the `password` grant type. As for the client I tried both `Web` and `Native` (called `Application Type` on gluu client setup form) and in both cases empty client secret is rejected.

By Aliaksandr Samuseu staff 20 Dec 2018 at 11:10 a.m. CST

Copy
Aliaksandr Samuseu gravatar
Please try to set "Authentication method for the Token Endpoint" to "none" for the client in question in Gluu.

By Maxim Samoussenko user 21 Dec 2018 at 1:38 a.m. CST

Copy
Maxim Samoussenko gravatar
I works. Thank you.

Post an answer