unity-idm-discuss

[Unity-idm-discuss] basic auth header for public clients with pkce

[Sander A. <sa....@fz...>]

Hi Krzysztof,
We have an SP, which is a SPA using PKCE with CORS. This part is
working now. We set the clientType to PUBLIC. When the SP requests the
user token the error message "Invalid user name, credential or external
authentication failed." is shown. Investigating the logs a little bit
more it shows "No HTTP BASIC auth header was found". This should not
the case for PKCE, isn't it?

Cheers,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] basic auth header for public clients with pkce

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 03.12.2021 o 12:27, Sander Apweiler pisze:
> Hi Krzysztof,
> We have an SP, which is a SPA using PKCE with CORS. This part is
> working now. We set the clientType to PUBLIC. When the SP requests the
> user token the error message "Invalid user name, credential or external
> authentication failed." is shown. Investigating the logs a little bit
> more it shows "No HTTP BASIC auth header was found". This should not
> the case for PKCE, isn't it?

Yeah, that's one known issue we had in our impl. Currently even for 
public client you have to setup some password (publicly known) and use it.

We can fix that problem now, as in 3.7.0 we have introduced optionally 
authenticated REST endpoints feature, which enables proper handling of 
this case.

That should be a small change now I'll put the corresponding ticket on 
the short term queue.

Best,
Krzysztof