Menu
▾
▴
Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets
|
From: Krzysztof B. <kb...@un...> - 2024-03-18 12:23:10
|
Hi Sander,
W dniu 15.03.2024 o 13:26, Sander Apweiler pisze:
> Hi Krzysztof,
> thanks for the fast fix. After we deployed the new version and test
> with the confidential client using PKCE. The client get only
>
> status: 401, body: {"error":"invalid_client","error_description":"Client authentication failed; not authenticated"})
>
> using PKCE or not. Other applications, which did not use PKCE are
> working well. In log files I see only:
>
>
> 2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG unity.server.core.ClientIPSettingHandler: Handling client XXXXX request to URL /oauth2/token
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using flow pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Client authentication attempt using authenticator pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Not defined credential for pwd
> 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG unity.server.rest.AuthenticationInterceptor: Request to an address with optional authentication - /oauth2/token - invocation will proceed without authentication
> 2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG unity.server.oauth.BaseOAuthResource: Retuning OAuth error response: invalid_client: Client authentication failed; not authenticated
>
> Checking the client, the credential is well defined and login on
> userhome works. The password does not contain any character, ehich may
> cause trouble in encoding. Do you have any idea what causes this issue?
First of all I'm confused by your case description. You wrote that "
test with the confidential client*using PKCE*. [there is a problem]*using PKCE or not*. Other applications, which*did not use PKCE* are
working well.
So what is the situation? Only clients which try to perform PKCE are
failing with this error or all or?
To speed up the investigation, besides explaining the scenario, please also:
1. enable TRACE logging on 2 facilities: unity.server.rest and
unity.server.authn, run the test and provide the logs.
2. please provide (e.g. a screenshot) configuration of Clients tab of
your OAuth IdP/AS. I'm interested in enabled authenticators/flows.
3. please provide details of defined credentials per your client's
entity (can be from "Show details").
4. complete configuration of the endpoint would be helpful too (more
"just in case").
Best,
Krzysztof
|
