By: Ham Di user 15 Mar 2020 at 4:26 p.m. CDT

1 Response
Ham Di gravatar
Hello community, im trying to send curl requests to an openid connect client. I configured my client to use the basic script by setting the "default ACR value". The script is invoked but it return false even when the login and password are good. I printed some parameters (username and password) in the log file of oxauth_script.log to figure out the problem, i found that the username contain the client_id of the openid connect client and not the uid of the user im trying to authenticate. Same thing for the password, i found that it contain the secret of the openid connect client and not the password of the user(see logs below). Another thing, even if the basic script return false, the outcome of the authentication is good (access accept and token received). I dont know how but this is also what i found in the oxauth.log file (see logs below). In Gluu documentation its said that the outcome of the authentication is only controlled by the custom script if the "default ACR value" is set. /opt/gluu/jetty/oxauth/logs/oxauth_script.log ``` 2020-03-15 16:55:47,900 INFO [qtp1094834071-16] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - username is: '@!6DD5.2317.2C71.B3BD!0001!3F53.7A78!0008!A175.044F.25BC.60AA' 2020-03-15 16:55:47,901 INFO [qtp1094834071-16] [org.xdi.service.PythonService$PythonLoggerOutputStream] (PythonService.java:239) - password is: 'DvpuedP4JenA7lEodCtPMrkK' ``` /opt/gluu/jetty/oxauth/logs/oxauth.log ``` 2020-03-15 16:55:47,904 INFO [qtp1094834071-16] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:227) - Authentication result for user '@!6DD5.2317.2C71.B3BD!0001!3F53.7A78!0008!A175.044F.25BC.60AA', result: 'false' 2020-03-15 16:55:47,910 INFO [qtp1094834071-16] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:262) - Authentication success for Client: '@!6DD5.2317.2C71.B3BD!0001!3F53.7A78!0008!A175.044F.25BC.60AA' ``` the curl command ``` curl -i -d scope=openid \ --data-urlencode client_id=$(awk -F= '/^client_id=/ { print $2 }' /etc/raddb/mods-config/oauth2/oauth2-config) \ --data-urlencode client_secret=$(awk -F= '/^client_secret=/ { print $2 }' /etc/raddb/mods-config/oauth2/oauth2-config) \ -d grant_type=password \ --data-urlencode username=admin \ --data-urlencode password=admin \ https://gluu-testserver/oxauth/restv1/token -k ```

By Michael Schwartz staff 15 Mar 2020 at 9:52 p.m. CDT

Michael Schwartz gravatar
1. `grant_type=password` ... this is not OpenID, it is OAuth. So your interception script is certainly not being invoked (you are not even calling the authorization endpoint... you are calling the token endpoint). 2. acr value would not be invoked for an OAuth flow Please read the [Basic Client Implementer’s Guide](https://openid.net/connect/) and probably the Core spec as well if you are going to use a low level client like curl.