By: Enzo Veltri user 19 Jul 2019 at 10:59 a.m. CDT

3 Responses
Enzo Veltri gravatar
I would like to use gluu with Angular. I know that the "official" supported libraries are AppAuth JS and Gluu OIDC JS Client, but I think that is possible to use also the angular-auth-oidc-client library ( that implements as flow the Code Flow with PKCE. And is the flow that I want to use since it seems to me that gluu is able to manage it. So my first question is: Am I right about code flow with PKCE with gluu? If I'm right, then ...I'm facing some issues with the /token call, where I've got this error: *"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."* The request made by the library is : ``` Request URL: https://gluu/oxauth/restv1/token Request Method: POST Referrer Policy: no-referrer-when-downgrade ----- HEADERS ----- Provisional headers Accept: application/json, text/plain, */* Content-Type: application/x-www-form-urlencoded Origin: http://localhost:4200 Referer: http://localhost:4200/?code=88c57b9d-5995-4ef0-85d6-e7853c630bb8&scope=openid+profile+email&session_id=3763d39a-bbfe-421d-b1e6-4dc938679569&state=15635357423570.178791324118347640.980260684388828&session_state=a1fc64bd66f4b4bd818d54c8075905a1b75bbcf2847982abcc74d913e2eb07ce.a84904ff-868c-4804-9876-8a8b8eeb6d4a User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 ----- POST ----- grant_type: authorization_code client_id: @!A8A7.B4B5.75C8.A2F2!0001!B057.8503!0008!B42E.A175.71DB.30A5 code_verifier: C0.4308350333177926156353590289515635359028950.4346269829086178 code: 88c57b9d-5995-4ef0-85d6-e7853c630bb8 redirect_uri: http://localhost:4200 So, the client id is the same as the one that you can see from the client configured on gluu. What could be the problem? I've already made some research on gluu support, where someone states to use as authentication method "client_secret_post", but as you can see it's already done in my configuration. ``` OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** app-angular - **Description:** app angular client - **Client ID:** @!A8A7.B4B5.75C8.A2F2!0001!B057.8503!0008!DAE9.19DE.383D.8060 - **Subject Type:** pairwise - **Expirattion date:** Wed Jul 19 00:00:00 UTC 2119 - **ClientSecret:** XXXXXXXXXXX - **Client Uri:** http://localhost:4200 - **Application Type:** web - **Persist Client Authorizations:** true - **Pre-Authorization:** false - **Authentication method for the Token Endpoint:** client_secret_post - **Logout Session Required:** false - **Include Claims In Id Token:** false - **Disabled:** false - **Login Redirect URIs:** [http://localhost:4200] - **Scopes:** [email, openid, profile] - **Grant types:** [authorization_code] - **Response types:** [code]

By Michael Schwartz staff 19 Jul 2019 at 11:12 a.m. CDT

Michael Schwartz gravatar
The client authn method at the token endpoint is `Authentication method for the Token Endpoint: client_secret_post` I'm not sure if this is correct for the PKCE flow, but I would check that.

By Enzo Veltri user 19 Jul 2019 at 11:37 a.m. CDT

Enzo Veltri gravatar
Ok, I just changed the Authentication method to "none" and it works.

By Jose Gonzalez staff 20 Jul 2019 at 3:34 p.m. CDT

Jose Gonzalez gravatar
I would try using fully qualified domain names for both the origin and the server, ie. not "localhost" and "gluu". You can create dummy aliases in your hosts file (/etc/hosts or C:\Windows\System32\drivers\etc\hosts if on windows)