Trouble passing JSON Web Token to the OpenID Connect Token Endpoint

By: Morgan Nichols user 06 Jun 2019 at 8:58 a.m. CDT

2 Responses
Morgan Nichols gravatar
## Expected Behavior: **I provide the following REQUIRED claim values in a JSON Web Token:** iss sub aud jti exp iat (A quick question here, is there a value that I should be using for my jti, I'm using session_id for now) **Then also include the following values in the JWT as well:** grant_type code client_id client_secret **I send a ‘POST’ body to my token endpoint that looks like this:** ``` headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'content-length': 579 }, body: 'grant_type=authorization_code&assertion=<token-here> ``` **I retrieve an access code and use to authenticate my user** ## Actual Behavior: My post request returns the following error in the response's body: `{"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."}` ## Code Samples/Configuration Options ``` jwt.sign(payload, process.env.SECRET, signOptions, (err, token) => { if (err) { console.log(err); } request.post({ headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, 'url': 'https://<auth-server-url.com>/oxauth/restv1/token', 'body': `grant_type=authorization_code&assertion=${token}` }, (error, response, body) => { if (error) { console.log(error); } else { console.log(response); console.log(body); } }) }); ``` Gluu Client configurations: Scopes: openid, profile. email Response Types: code Grant Types: refresh_token, authorization_code authentication method for the token endpoint: client_secret_jwt Encryption/Signing settings: HS256 If I can get all of this working I'll happily share a gist with the team. ## Notes I am successfully passing a JWT when redirecting users to my authorization endpoint. Thanks, Morgan
CentOS 7.0
closed

Answers

By Michael Schwartz Account Admin 06 Jun 2019 at 10:02 a.m. CDT

Copy
Michael Schwartz gravatar
Did you read [Section 9](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) ? If you are asking for JTW client authentication, wouldn't the parameter be `client_assertion` ? Beyond that, we don't normally get involved in helping people write low level clients. I'd recommend you use a an OpenID Connect client library. I'm not sure what language that is, but there are good ones for Node, Pythong, Php, Ruby etc. See the [Certified Relying Parties]](https://openid.net/certification/#RPs) Also, you may consider using [oxd](https://oxd.gluu.org) which is a middleware, with client libraries in many languages. Closing this ticket because it's outside the scope of community support.

By Morgan Nichols user 06 Jun 2019 at 10:18 a.m. CDT

Copy
Morgan Nichols gravatar
Hi Michael, I did read section 9, however Gluu official documentation recommends using the 'assertion' parameter [here](https://gluu.org/docs/ce/api-guide/openid-connect-api/#openid-connect-token-endpoint) and not the client_assertion parameter. The docs don't provide much guidance in how a request should be formatted or explicitly state what parameter should include the token. Perhaps an update to that documentation would be helpful? I tried using oxd-node earlier, but repeatedly ran into issues. As suggested I'll look into an OpenID connect library. Cheers, Morgan

Post an answer