Invalid Request for Access Token Retrieval

By: Bernardo Santos user 01 Mar 2019 at 6:06 a.m. CST

5 Responses
Bernardo Santos gravatar
Hello and good afternoon, I'm following the SCIM Web API tutorial as to retrieve an access token for future requests: https://gluu.org/docs/ce/user-management/scim2/#send-requests-to-scim-endpoints ``` POST https://<idp-host>/oxauth/restv1/token?grant_type=client_credentials Content-Type: application/x-www-form-urlencoded Content-Length: 0 Authorization: Basic QCEwQUExLjk2MDIuMzc4Qi5EMkFCITAwMDEhMTM1Qy4xQUMwITAwMDghNDI1OS4yRTE2LjIwRDEuNzlBQzowZjNjMmM0Mi00Yjg2LTRmYzgtYWVhZC00ZjM1NDdjNTk0ZWE= END POST (0-byte body) ``` and yet I'm obtaining the following: ``` 400 Bad Request https://<idp-host>/oxauth/restv1/token?grant_type=client_credentials (430ms) Date: Fri, 01 Mar 2019 11:40:03 GMT Server: Jetty(9.4.12.v20180830) X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Cache-Control: no-store Content-Type: application/json Pragma: no-cache Content-Length: 291 Connection: close {"error":"invalid_request","error_description":"The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed."} <-- END HTTP (291-byte body) ``` I'm sharing the SCIM OIDC Client that is used for the Java plugin you provided with UMA-Protection. I've used other rest request tools, but the outcome is the same. Any pointers on what could be wrong? Thanks in advance, best regards,
Ubuntu 16.0
closed

Answers

By Jose Gonzalez staff 01 Mar 2019 at 3:10 p.m. CST

Copy
Jose Gonzalez gravatar
Hi, The pre-built Gluu SCIM clients should not be used for this nor to be edited. Please create one as instructed in https://gluu.org/docs/ce/user-management/scim2/#create-an-openid-client and let us know.

By Bernardo Santos user 02 Mar 2019 at 10:38 a.m. CST

Copy
Bernardo Santos gravatar
Hi, thanks for the pointer! Nevertheless, I've created another client for the Web API as instructed by the tutorial but the outcome was the same. Any reason for the pre-built clients or the client for SCIM Java API can't be shared for other applications? Thanks again, best regards,

By Jose Gonzalez staff 04 Mar 2019 at 10:32 a.m. CST

Copy
Jose Gonzalez gravatar
Hi, > Any reason for the pre-built clients or the client for SCIM Java API can't be shared for other applications? They might be shared but their actual properties probably make them unsuitable for certain tasks. The openID spec explains the nature of clients. Personally I don't think there can (or should) be general-purposes clients > I've created another client for the Web API as instructed by the tutorial but the outcome was the same. I followed the instructions to detail and am getting proper responses on a CE 3.1.5 installation: ``` curl -k -u '@!D709.DD63.C2A5.9C6A!0001!2533.B35B!0008!7E19.E521.51CC.4600:secret' -d grant_type=client_credentials https://my.gluu.host/oxauth/restv1/token``` I added `-k` due to self-sign cert. Response: ``` {"access_token":"d35aa09a-1f51-463a-a6b0-730bf373e870","token_type":"bearer","expires_in":299}``` Then, I do: ``` curl -k -G -H 'Authorization: Bearer d35aa09a-1f51-463a-a6b0-730bf373e870' -d count=10 --data-urlencode 'filter=userName co "mi"' https://my.gluu.host/identity/restv1/scim/v2/Users``` and got ``` {"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"totalResults":1,"startIndex":1,"itemsPerPage":1,"Resources":[...]}```

By Bernardo Santos user 05 Mar 2019 at 6:22 a.m. CST

Copy
Bernardo Santos gravatar
Hello, thanks for the explanation! I will need to retry again, but it seems that I'm having issues with the oxauth service and could be related with this problem. If necessary I'll open another ticket for it, but it seems that the service just blocked itself and I can't interact with it. I've restarted gluu and the machine that hosts it, everything is working fine except of this service which doesn't allow me to restart or kill it by its pid. Thanks again, best regards,

By Bernardo Santos user 06 Mar 2019 at 3:23 a.m. CST

Copy
Bernardo Santos gravatar
Hello again, after yesterday's hiccup with the oxauth service, today I was able to restore it. Also I've found the issue that I was having: it was due to the fact of how I was sending the grant_type field. As I read that it should be sent as a parameter, I assumed it was a query parameter and not a field parameter e.g. to send as part of the body of the request, hence having the above response. Thanks for the help! Best regards,

Post an answer