By: Yunus Raza user 26 Aug 2020 at 2:04 a.m. CDT

5 Responses
Yunus Raza gravatar
I have configured a client in Gluu with scope as openid. I have then taken the clientid and secret and configured in netscaler. I can see that netscaler is sending the details to /oxauth/restv1/token but the response that comes back from Gluu is unauthorized client. However i can see that the page is redirected to Gluu and the user is authenticated as the oxauth.log says successfully authenticated. But not sure why Gluu then says it unauthorized. ``` 2020-08-26 07:58:47,671 INFO [qtp1708570683-21] [org.gluu.oxauth.auth.Authenticator] (Authenticator.java:432) - Authentication success for User: 'yraza' 2020-08-26 07:58:47,700 DEBUG [qtp1708570683-14] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-08-26 07:58:47,700 DEBUG [qtp1708570683-14] [org.gluu.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:58) - Checking scopes policy for: [openid] 2020-08-26 07:58:47,701 DEBUG [qtp1708570683-14] [org.gluu.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:90) - Granted scopes: [openid] 2020-08-26 07:58:47,732 DEBUG [qtp1708570683-14] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-08-26 07:58:47,733 DEBUG [qtp1708570683-14] [org.gluu.oxauth.service.RedirectionUriService] (RedirectionUriService.java:87) - Validating redirection URI: clientIdentifier = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2, redirectionUri = https://mylabgw.mylab.local/oauth/login, found = 1 2020-08-26 07:58:47,733 DEBUG [qtp1708570683-14] [org.gluu.oxauth.service.RedirectionUriService] (RedirectionUriService.java:109) - Comparing https://mylabgw.mylab.local/oauth/login == https://mylabgw.mylab.local/oauth/login 2020-08-26 07:58:47,746 DEBUG [qtp1708570683-14] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-08-26 07:58:47,746 DEBUG [qtp1708570683-14] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-08-26 07:58:47,794 DEBUG [qtp1708570683-21] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-08-26 07:58:47,795 DEBUG [qtp1708570683-21] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-08-26 07:58:47,823 DEBUG [qtp1708570683-21] [gluu.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:185) - Attempting to request authorization: responseType = code, clientId = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2, scope = openid, redirectUri = https://mylabgw.mylab.local/oauth/login, nonce = null, state = b2F1dGhhY3Q9T0lEQy1TUC1nbHV1AC4WRl8K7BYudGFyZ2V0PWh0dHBzOi8vYWN1c2xhYmd3LmFjdXNsYWIubG9jYWwvbmYvYXV0aC9kb09BdXRoP2FjdD1PSURDLVNQLWdsdXU7bmY9O3d2PTA=, request = null, isSecure = true, requestSessionId = null, sessionId = null 2020-08-26 07:58:47,824 DEBUG [qtp1708570683-21] [gluu.oxauth.authorize.ws.rs.AuthorizeRestWebServiceImpl] (AuthorizeRestWebServiceImpl.java:191) - Attempting to request authorization: acrValues = null, amrValues = null, originHeaders = null, codeChallenge = null, codeChallengeMethod = null, customRespHeaders = null, claims = null, tokenBindingHeader = null 2020-08-26 07:58:47,825 DEBUG [qtp1708570683-21] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-08-26 07:58:47,826 DEBUG [qtp1708570683-21] [org.gluu.oxauth.service.RedirectionUriService] (RedirectionUriService.java:87) - Validating redirection URI: clientIdentifier = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2, redirectionUri = https://mylabgw.mylab.local/oauth/login, found = 1 2020-08-26 07:58:47,827 DEBUG [qtp1708570683-21] [org.gluu.oxauth.service.RedirectionUriService] (RedirectionUriService.java:109) - Comparing https://mylabgw.mylab.local/oauth/login == https://mylabgw.mylab.local/oauth/login 2020-08-26 07:58:47,827 DEBUG [qtp1708570683-21] [org.gluu.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:58) - Checking scopes policy for: [openid] 2020-08-26 07:58:47,828 DEBUG [qtp1708570683-21] [org.gluu.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:90) - Granted scopes: [openid] 2020-08-26 07:58:47,874 DEBUG [qtp1708570683-21] [org.gluu.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:58) - Checking scopes policy for: [openid] 2020-08-26 07:58:47,875 DEBUG [qtp1708570683-21] [org.gluu.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:90) - Granted scopes: [openid] 2020-08-26 07:58:48,004 DEBUG [qtp1708570683-14] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-08-26 07:58:48,005 DEBUG [qtp1708570683-14] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-08-26 07:58:48,005 DEBUG [qtp1708570683-14] [org.gluu.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:140) - Starting endpoint authentication https://mylab-iam.mylab.local/oxauth/restv1/token 2020-08-26 07:58:48,006 DEBUG [qtp1708570683-14] [org.gluu.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:158) - Starting POST Auth token endpoint authentication 2020-08-26 07:58:48,007 DEBUG [qtp1708570683-14] [org.gluu.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:379) - requireAuth: 'true' 2020-08-26 07:58:48,007 DEBUG [qtp1708570683-14] [org.gluu.oxauth.service.ClientService] (ClientService.java:135) - Found 1 entries for client id = 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 2020-08-26 07:58:48,009 DEBUG [qtp1708570683-14] [org.gluu.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:72) - Looking for the error with id: invalid_client 2020-08-26 07:58:48,009 DEBUG [qtp1708570683-14] [org.gluu.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:77) - Found error, id: invalid_client ```

By Michael Schwartz staff 26 Aug 2020 at 10:43 a.m. CDT

Michael Schwartz gravatar
Please post the client config summary here.

By Yunus Raza user 27 Aug 2020 at 3:23 a.m. CDT

Yunus Raza gravatar
OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** netscaler - **Client ID:** 59e0f691-9185-4e4d-b6c6-a6cfa1a544d2 - **Subject Type:** pairwise - **ClientSecret:** XXXXXXXXXXX - **Application Type:** web - **Persist Client Authorizations:** true - **Pre-Authorization:** false - **Authentication method for the Token Endpoint:** client_secret_post - **Logout Session Required:** false - **Include Claims In Id Token:** true - **Disabled:** false - **Login Redirect URIs:** [https://mylab.local/oauth/login] - **Scopes:** [profile, openid] - **Grant types:** [authorization_code, implicit, refresh_token, client_credentials, password] - **Response types:** [code, token, id_token] ============= By taking the network trace i found that Gluu was performing the POST instead of Basic. So i changed the value** client_secret_basic** to** client_secret_post **and it started working.

By Michael Schwartz staff 27 Aug 2020 at 12:54 p.m. CDT

Michael Schwartz gravatar
Here are some comments: 1. Response Type: should be `code` only for Code Flow. You don't need the token or id_token back in the response from the authorization endpoint. 2. You may want to use Subject Type `pubilc` and map this to the email or username. 3. Grant type should probably be just `authorization_code`. Use `password` if you want to send the username and password. Use `refresh_token` only if you intend to use the refresh token. Web applications that create a session on login probably don't need it. 4. `Authentication method for the Token Endpoint: client_secret_post`: are you actually sending the `client_id` and `client_secret` as POST params? Or are you trying to send them in the Authorization header? If the latter, use BASIC.

By Yunus Raza user 27 Aug 2020 at 10:09 p.m. CDT

Yunus Raza gravatar
Hello Michael, Thanks for the details i have made the changes. For (3), Where do i do the mapping? For (4), I am sending it as POST https://mylab.local/oxauth/restv1/authorize?response_type=code&grant_type=password&scope=openid&client_id=59e0f691-9185-4e4d-b6c6-a6cfa1a544d2

By Michael Schwartz staff 28 Aug 2020 at 9:52 a.m. CDT

Michael Schwartz gravatar
That is `GET` not `POST`