By: Ramkumar Chandrasekaran user 21 Jun 2017 at 2:12 p.m. CDT

6 Responses
Ramkumar Chandrasekaran gravatar
We are not able to get token when using openid Authorization Code Flow. Step 1: We are able to get code by calling authorize endpoint https://tenant1.mydomain.com/oxauth/authorize?scope=email&response_type=code&redirect_uri=https%3A%2F%2Ftenant1.mydomain.com%2Flogin&state=tWa37J&client_id=%40%21B764.C0B6.2396.20DB%210001%21F93F.853C%210008%21E487.A32A.1B7A.78E0 https://tenant1.mydomain.com/login?code=3f7af9d3-d320-49ae-929d-f84c8e340c89&scope=email&state=tWa37J&session_state=c8ef0cde-c503-433b-a47b-583f70acb477 Step 2: var data = "code=3f7af9d3-d320-49ae-929d-f84c8e340c89&scope=email&redirect_uri=https%3A%2F%2Ftenant1.mydomain.com%2Flogin"; var xhr = new XMLHttpRequest(); xhr.withCredentials = true; xhr.addEventListener("readystatechange", function () { if (this.readyState === 4) { console.log(this.responseText); } }); xhr.open("POST", "https://tenant1.mydomain.com/oxauth/seam/resource/restv1/oxauth/token"); xhr.setRequestHeader("content-type", "application/x-www-form-urlencoded"); xhr.setRequestHeader("accept", "application/json"); xhr.setRequestHeader("cache-control", "no-cache"); xhr.setRequestHeader("postman-token", "f20e014e-6a21-73c5-9543-a370dd7aae46"); xhr.send(data); On calling token endpoint we are below error:- { "error": "invalid_client", "error_description": "Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client." } Thanks Ramkumar.C

By Aliaksandr Samuseu staff 21 Jun 2017 at 2:20 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Ramkumar. Free support doesn't cover usage of custom OIDC clients. Please use one of supported [ones instead](https://www.gluu.org/blog/limiting-openid-connect-community-client-support/). If you insist on creating your own, you could try to experiment with a ready solution to study how correct flow looks like internally, then compare it with what your code generates.

By Ramkumar Chandrasekaran user 21 Jun 2017 at 2:37 p.m. CDT

Ramkumar Chandrasekaran gravatar
Hi Samuseu, We did not use custom OIDC clients. We are using code flow of openid. We are able to complete first step to get code and not able to get token. In my previous post i used postman to provide the parameters passed to endpoints. We are following the documentation mentioned in 3.0.1:- OpenID Connect Flows# The Gluu Server supports all flows defined in the Core spec, including implicit, code, and hybrid. The implicit flow, where the token and id_token are returned from the authorization endpoint, should only be used for applications that run in the browser, like a Javascript client. The code flow or hybrid flow should be used for server side applications, where code on the web server can more securely call the token endpoint to obtain a token. The most useful response type for the hybrid flow is "code id_token". Using this flow, you can verify the integrity of the code by inspecting the c_hash claim in the id_token. If you are using the code flow, the response type should only be code. There is no point in using response type "code token id_token"--the extra tokens returned by the authorization endpoint will only create additional calls to the LDAP server and slow you down. If you are going to trade the code at the token endpoint for a new token and id_token, you don't need them from the authorization endpoint too. Can you please provide your comments to get the token for code flow. Thanks Regards Ramkumar.C

By Michael Schwartz Account Admin 21 Jun 2017 at 3:13 p.m. CDT

Michael Schwartz gravatar
Alex is quite correct. Are you writing your app with Java? Python? Php? Ruby? C#? Node? Perl? Go? Javascript? Because there are good client libraries for all the above. For us to check all the REQUEST / RESPONSE messages is not covered in community support. I would suggest you use the oxd client library, which we do support on this forum. Or check the OpenID Connect website for other certified client libraries.

By Aliaksandr Samuseu staff 21 Jun 2017 at 3:35 p.m. CDT

Aliaksandr Samuseu gravatar
>We did not use custom OIDC clients. We are using code flow of openid. We are able to complete first step to get code and not able to get token. In my previous post i used postman to provide the parameters passed to endpoints What OIDC client do you use, then? Is it one of the mentioned in that article I referenced? - `oxd`: Gluu’s OpenID Connect middleware product with libraries for Php, Python, Java, Ruby, Python, and C# - `mod_auth_openidc`: Excellent Apache httpd web server filter. See instructions for configuration on Gluu docs for Ubuntu and Centos - `nginx plugin`: Plugin by the author of mod_auth_openidc AppAuth: Excellent mobile libraries for iOS and Android. - [Javascript Implicit Flow Client](https://gluu.org/docs/integration/oauth-js-implicit/): Read this blog by Nat Sakumura about how to easily write a client side javascript authentication

By Ramkumar Chandrasekaran user 26 Jun 2017 at 12:13 p.m. CDT

Ramkumar Chandrasekaran gravatar
We are able to get the token for authorization code flow grant. Thanks Regards Ramkumar.C

By Amit Pruthi user 21 Feb 2019 at 12:42 a.m. CST

Amit Pruthi gravatar
Ramkumar I am facing same issue. Can you please explain how did you resolve?