The provided access token is invalid, or was issued to another client.

By: Qin Rodney user 17 Feb 2017 at 2:31 a.m. CST

5 Responses
Qin Rodney gravatar
We use oxd server API to support for OpenID Connect Single Sign-On via Gluu. I meet the follow issue: Step 1: Register web client to get the "oxd_id". Step 2: Get the "authorization_url" and redirect to it. Step 3: Input email address and password to authenticate. Step 4: After authenticate, we choose "Allow" button, it will redirect to "authorization_redirect_uri", and then login our system. Step 5: Open another browser, such as FF, repeat the step one to four. It will login our system. Step 6: When I log out our system from chrome, it will call oxd log out API and redirect "post_logout_redirect_uri". it is not problem. But when I continue log out from FF, ``` it will throw {"error":"invalid_grant","error_description":"The provided access token is invalid, or was issued to another client."} exception ```. And I used different Gluu accounts to login our system.
CentOS72
closed

Answers

By Yuriy Zabrovarnyy staff 17 Feb 2017 at 5:16 a.m. CST

Copy
Yuriy Zabrovarnyy gravatar
Which exactly version of Gluu Server do you have ? Please attach `oxauth.log` and `oxd-server.log` file.

By Qin Rodney user 20 Feb 2017 at 11:49 p.m. CST

Copy
Qin Rodney gravatar
CentOS 7.2 64-bit more than 4GB RAM Gluu 2.4.4 We just can get the "oxd-server.log", the log as fllow: 2017-02-21 13:26:27,501 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_logout_uri","params":{"state":null,"oxd_id":"fa38cf09-1784-45b4-bc7d-2ef2387e963e","id_token_hint":null,"post_logout_redirect_uri":"https://qa.owlforlearning.com/walkthrough/api/users/logout?apiKey=web","session_state":null}} 2017-02-21 13:26:27,505 TRACE [org.xdi.oxd.server.Processor] Send back response: {"status":"ok","data":{"uri":"https://gluu.catapultlearning.com/oxauth/seam/resource/restv1/oxauth/end_session?id_token_hint=eyJraWQiOiI4YjEyMjVhNy00ZGQxLTQ0YWQtOTMwYi03ODUwNGU0MjVmNDciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2dsdXUuY2F0YXB1bHRsZWFybmluZy5jb20iLCJhdWQiOiJAITg1MEYuMTJFQi42N0YzLkY1REUhMDAwMSEzRUUyLjhBRkEhMDAwOCE0M0IyLkUzRDkiLCJleHAiOjE0ODc2NTgzNzIsImlhdCI6MTQ4NzY1NDc3Miwibm9uY2UiOiI0Yjc2ZXBkczVvZ3U4dTQybjE1OThuYnFwNyIsImF1dGhfdGltZSI6MTQ4NzY1NDc1NSwiYXRfaGFzaCI6IlIzVUpfUUE4b3g2TE5OS08yQXh3SFEiLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2dsdXUuY2F0YXB1bHRsZWFybmluZy5jb20vb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiZW1haWwiOiJvYnNlcnZlcjJAb3dsLmV4YW1wbGUuY29tIiwiaW51bSI6IkAhODUwRi4xMkVCLjY3RjMuRjVERSEwMDAxITNFRTIuOEFGQSEwMDAwITcxMDIuQTYwMCIsInN1YiI6IkAhODUwRi4xMkVCLjY3RjMuRjVERSEwMDAxITNFRTIuOEFGQSEwMDAwITcxMDIuQTYwMCJ9.c92OII4jMbtdLgF8Z8D92ClzHgRYurHoeoLRJZ-h4pFL1ITPK7S3JFEth5KeW64lypB-LDtzuGyX_MDY4ATTwfGo2uieyp3xAUhtVaUK3RvtgzRfn3qkPtRiB5Ai6OD_fND9VGQ4OuhgpjaEBjTrmlEXjt-cRX2nGrbmUGn80so2S9kie1DvNhhU3fMOmK5Xu5eQHzFr92y6ta0xtDMPIJkPDfHrPQTPm38IXZCUQnjLWcYLRVJA11BH9r6sfx_CwzZi68hS4wowNWDB6JpGW_-ITnW4RTqvPsbNMEkbg8mjLMumy3apYL8ZkYHmSIavXl56T3B4XOMp27UpQLOW6A&post_logout_redirect_uri=https%3A%2F%2Fqa.owlforlearning.com%2Fwalkthrough%2Fapi%2Fusers%2Flogout%3FapiKey%3Dweb"}} 2017-02-21 13:26:27,505 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-02-21 13:26:27,505 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-02-21 13:26:52,432 DEBUG [org.xdi.oxd.server.service.SocketService] Start new SocketProcessor... 2017-02-21 13:26:52,434 TRACE [org.xdi.oxd.server.SocketProcessor] Socket processor handling... 2017-02-21 13:26:52,434 TRACE [org.xdi.oxd.common.CoreUtils] commandSize: -1, stringStorage: 2017-02-21 13:26:52,435 TRACE [org.xdi.oxd.common.CoreUtils] Parsed sizeString: 0241, commandSize: 241 2017-02-21 13:26:52,435 TRACE [org.xdi.oxd.common.CoreUtils] Read result: ReadResult{m_command='{"command":"get_logout_uri","params":{"state":null,"oxd_id":"fa38cf09-1784-45b4-bc7d-2ef2387e963e","id_token_hint":null,"post_logout_redirect_uri":"https://qa.owlforlearning.com/walkthrough/api/users/logout?apiKey=web","session_state":null}}', m_leftString=''} 2017-02-21 13:26:52,435 TRACE [org.xdi.oxd.server.Processor] Command: {"command":"get_logout_uri","params":{"state":null,"oxd_id":"fa38cf09-1784-45b4-bc7d-2ef2387e963e","id_token_hint":null,"post_logout_redirect_uri":"https://qa.owlforlearning.com/walkthrough/api/users/logout?apiKey=web","session_state":null}} 2017-02-21 13:26:52,435 TRACE [org.xdi.oxd.server.Processor] Send back response:``` {"status":"ok","data":{"uri":"https://gluu.catapultlearning.com/oxauth/seam/resource/restv1/oxauth/end_session?id_token_hint=eyJraWQiOiI4YjEyMjVhNy00ZGQxLTQ0YWQtOTMwYi03ODUwNGU0MjVmNDciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2dsdXUuY2F0YXB1bHRsZWFybmluZy5jb20iLCJhdWQiOiJAITg1MEYuMTJFQi42N0YzLkY1REUhMDAwMSEzRUUyLjhBRkEhMDAwOCE0M0IyLkUzRDkiLCJleHAiOjE0ODc2NTgzNzIsImlhdCI6MTQ4NzY1NDc3Miwibm9uY2UiOiI0Yjc2ZXBkczVvZ3U4dTQybjE1OThuYnFwNyIsImF1dGhfdGltZSI6MTQ4NzY1NDc1NSwiYXRfaGFzaCI6IlIzVUpfUUE4b3g2TE5OS08yQXh3SFEiLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2dsdXUuY2F0YXB1bHRsZWFybmluZy5jb20vb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiZW1haWwiOiJvYnNlcnZlcjJAb3dsLmV4YW1wbGUuY29tIiwiaW51bSI6IkAhODUwRi4xMkVCLjY3RjMuRjVERSEwMDAxITNFRTIuOEFGQSEwMDAwITcxMDIuQTYwMCIsInN1YiI6IkAhODUwRi4xMkVCLjY3RjMuRjVERSEwMDAxITNFRTIuOEFGQSEwMDAwITcxMDIuQTYwMCJ9.c92OII4jMbtdLgF8Z8D92ClzHgRYurHoeoLRJZ-h4pFL1ITPK7S3JFEth5KeW64lypB-LDtzuGyX_MDY4ATTwfGo2uieyp3xAUhtVaUK3RvtgzRfn3qkPtRiB5Ai6OD_fND9VGQ4OuhgpjaEBjTrmlEXjt-cRX2nGrbmUGn80so2S9kie1DvNhhU3fMOmK5Xu5eQHzFr92y6ta0xtDMPIJkPDfHrPQTPm38IXZCUQnjLWcYLRVJA11BH9r6sfx_CwzZi68hS4wowNWDB6JpGW_-ITnW4RTqvPsbNMEkbg8mjLMumy3apYL8ZkYHmSIavXl56T3B4XOMp27UpQLOW6A&post_logout_redirect_uri=https%3A%2F%2Fqa.owlforlearning.com%2Fwalkthrough%2Fapi%2Fusers%2Flogout%3FapiKey%3Dweb"}} We can redirect to first returned uri. But for the next one, we will get the error {"error":"invalid_grant","error_description":"The provided access token is invalid, or was issued to another client."}

By Yuriy Zabrovarnyy staff 21 Feb 2017 at 8:03 a.m. CST

Copy
Yuriy Zabrovarnyy gravatar
This log seems to be cutted. Would you please attach full 'oxauth.log' and 'oxd-server.log' files?

By Yuriy Zabrovarnyy staff 22 Feb 2017 at 12:30 p.m. CST

Copy
Yuriy Zabrovarnyy gravatar
I don't know about intention here but from logs I can see that both authorization requests are made with the same client (site) `@!850F.12EB.67F3.F5DE!0001!3EE2.8AFA!0008!43B2.E3D9`. ``` https://gluu.catapultlearning.com/oxauth/seam/resource/restv1/oxauth/authorize?response_type=code&client_id=@!850F.12EB.67F3.F5DE!0001!3EE2.8AFA!0008!43B2.E3D9&redirect_uri=https://qa.owlforlearning.com/walkthrough/api/opclient/landingpage&scope=openid+email+uma_protection+uma_authorization&state=cqedhe0us51tbrhet6p14lckqj&nonce=40u1ptuvkdblagva0n1etu4v9 https://gluu.catapultlearning.com/oxauth/seam/resource/restv1/oxauth/authorize?response_type=code&client_id=@!850F.12EB.67F3.F5DE!0001!3EE2.8AFA!0008!43B2.E3D9&redirect_uri=https://qa.owlforlearning.com/walkthrough/api/opclient/landingpage&scope=openid+email+uma_protection+uma_authorization&state=e2io601lal3srs58ubb2kv2g0u&nonce=4b76epds5ogu8u42n1598nbqp7 ``` So on `get_logout_uri` oxd picks up `id_token` from session and invalidates it. Since client is the same and `id_token_hint` is not provided in `get_logout_uri` it picks up SAME `id_token`. This is the reason of failure on site2 logout (`id_token` is already invalidated by site1) There are two possible solutions: 1. If you wish to use the same client then: a) pass `id_token_hint` directly in `get_logout_uri` command. b) implement front-channel logout on RP side. Then on site1 logout site2 will be logged out automatically (see spec http://openid.net/specs/openid-connect-frontchannel-1_0.html) 2. Use different clients for different sites. It all depends on the goal. You can attach log file (see "Attachment" field) to attach file. Thanks, Yuriy

By Qin Rodney user 23 Feb 2017 at 2:31 a.m. CST

Copy
Qin Rodney gravatar
We choose the solution 1, and it works well. Thanks very much

Post an answer