Menu
▾
▴
Re: [Unity-idm-discuss] unity is not checking OIDC client sencrets
|
From: Sander A. <sa....@fz...> - 2024-03-19 07:18:30
|
Good morning Krzysztof,
sorry for the confusion. The problem appears if the confidential
clients are using PKCE. For confidential clients which never used PKCE
everything is fine. We had just one client which reported the error
occurred independent if they are using PKCE or not. But I'm not sure if
they really disabled PKCE.
About your requests:
1. I try to generate them as soon as possible. For the moment we went
back to 3.15.0. But we will create the logs on our dev system.
2. - 4. Please find the screenshots attached.
If something is missing, please let me know.
Best regards,
Sander
On Mon, 2024-03-18 at 13:22 +0100, Krzysztof Benedyczak wrote:
>
> Hi Sander,
>
>
>
>
> W dniu 15.03.2024 o 13:26, Sander Apweiler pisze:
>
>
> >
> > Hi Krzysztof,
> > thanks for the fast fix. After we deployed the new version and test
> > with the confidential client using PKCE. The client get only
> >
> > status: 401, body:
> > {"error":"invalid_client","error_description":"Client
> > authentication failed; not authenticated"})
> >
> > using PKCE or not. Other applications, which did not use PKCE are
> > working well. In log files I see only:
> >
> >
> > 2024-03-15T10:50:42,537 [qtp1837191723-34] DEBUG
> > unity.server.core.ClientIPSettingHandler: Handling client XXXXX
> > request to URL /oauth2/token
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Client authentication
> > attempt using flow pwd
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Client authentication
> > attempt using authenticator pwd
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Not defined credential
> > for pwd
> > 2024-03-15T10:50:42,538 [qtp1837191723-34] DEBUG
> > unity.server.rest.AuthenticationInterceptor: Request to an address
> > with optional authentication - /oauth2/token - invocation will
> > proceed without authentication
> > 2024-03-15T10:50:42,543 [qtp1837191723-34] DEBUG
> > unity.server.oauth.BaseOAuthResource: Retuning OAuth error
> > response: invalid_client: Client authentication failed; not
> > authenticated
> >
> > Checking the client, the credential is well defined and login on
> > userhome works. The password does not contain any character, ehich
> > may
> > cause trouble in encoding. Do you have any idea what causes this
> > issue?
> >
>
>
>
>
> First of all I'm confused by your case description. You wrote that "
>
>
> test with the confidential client using PKCE. [there is a problem]
> using PKCE or not. Other applications, which did not use PKCE are
> working well.
>
>
> So what is the situation? Only clients which try to perform PKCE are
> failing with this error or all or?
>
>
>
>
> To speed up the investigation, besides explaining the scenario,
> please also:
>
> 1. enable TRACE logging on 2 facilities: unity.server.rest and
> unity.server.authn, run the test and provide the logs.
>
> 2. please provide (e.g. a screenshot) configuration of Clients tab of
> your OAuth IdP/AS. I'm interested in enabled authenticators/flows.
>
> 3. please provide details of defined credentials per your client's
> entity (can be from "Show details").
>
> 4. complete configuration of the endpoint would be helpful too (more
> "just in case").
>
> Best,
> Krzysztof
>
>
>
>
>
--
Large-Scale Data Science
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Stefan Müller
Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende),
Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
