Grant type `authorization_code` does not work in OpenIddict 3.0 beta 3
See original GitHub issueHi,
I tried to set up my server to support the auth code flow, but it seems to fail with an internal exception when trying to verify the client_id/client_secret combo. I sent the credentials with the HTTP Basic Auth header, but the same error happens when providing the credentials in the request body.
The server logs the following messages:
2020-08-18 13:55:52.6205|INFO|OpenIddict.Server.OpenIddictServerDispatcher|The request address matched a server endpoint: Token. |url:POST https://localhost/api/auth/token |traceid:|9d8779a6-4ec529eff93391b1. |eventid:|
2020-08-18 13:55:52.6227|INFO|OpenIddict.Server.OpenIddictServerDispatcher|The token request was successfully extracted: {
"code": "[redacted]",
"grant_type": "authorization_code",
"redirect_uri": "custom-scheme://oauth-exchange",
"client_id": "mobile-client",
"client_secret": "[redacted]"
}. |url:POST https://localhost/api/auth/token |traceid:|9d8779a6-4ec529eff93391b1. |eventid:|
2020-08-18 13:55:52.6384|WARN|OpenIddict.Core.OpenIddictApplicationManager|An error occurred while trying to verify a client secret.
This may indicate that the hashed entry is corrupted or malformed. System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
at System.Convert.FromBase64String(String s)
at OpenIddict.Core.OpenIddictApplicationManager`1.<ValidateClientSecretAsync>g__VerifyHashedSecret|56_0(String hash, String secret) in /_/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs:line 1426
at OpenIddict.Core.OpenIddictApplicationManager`1.ValidateClientSecretAsync(String secret, String comparand, CancellationToken cancellationToken) in /_/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs:line 1410 |url:POST https://localhost/api/auth/token |traceid:|9d8779a6-4ec529eff93391b1. |eventid:|
2020-08-18 13:55:52.6554|WARN|OpenIddict.Core.OpenIddictApplicationManager|Client authentication failed for mobile-client. |url:POST https://localhost/api/auth/token |traceid:|9d8779a6-4ec529eff93391b1. |eventid:|
2020-08-18 13:55:52.6562|ERROR|OpenIddict.Server.OpenIddictServerDispatcher|The token request was rejected because the confidential or hybrid application 'mobile-client' didn't specify valid client credentials. |url:POST https://localhost/api/auth/token |traceid:|9d8779a6-4ec529eff93391b1. |eventid:|
2020-08-18 13:55:52.6579|INFO|OpenIddict.Server.OpenIddictServerDispatcher|The response was successfully returned as a JSON document: {
"error": "invalid_client",
"error_description": "The specified client credentials are invalid."
}. |url:POST https://localhost/api/auth/token |traceid:|9d8779a6-4ec529eff93391b1. |eventid:|
The interesting parts for me is that it logs a successful token request first, and correctly extracts the client_id (and presumably the client_secret), and then after that logs a System.FormatException
. It looks like it tries to unpack the auth-header twice, but the second attempt uses invalid data.
Issue Analytics
- State:
- Created 3 years ago
- Comments:9 (5 by maintainers)
Top Results From Across the Web
connect/token issue #6 - openiddict/openiddict-samples
hi i cloned the samples and ran both server and client projects,they work good and i make a user and login with it...
Read more >Introducing the OpenIddict client - Kévin Chalet's blog
If it was granted the implicit permission, it was also allowed to use response_type=id_token and depending on its type (confidential or public), ...
Read more >Why grant_type is not in OpenIddictRequest parameters?
I found the problem. I changed the Exchange Method prototype from : Task<IActionResult> Exchange(OpenIddictRequest openIdRequest).
Read more >Application permissions - OpenIddict documentation
Grant type permissions limit the grant types a client application is allowed to use. Supported permissions. Grant type, Constant. Authorization code ...
Read more >Setting up an Authorization Server with OpenIddict - Part III
Grant Type is the Client Credentials Flow. We specify the access token url, a client id and secret to authenticate our client.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I have poked around a bit more, and it looks like the problem was probably that I messed around trying to figure out my client implementation, plus that I got lost when trying to match the stack trace against the OpenIddict code to see when it happened and what I should do to resolve it.
Sorry for the inconvenience.
Roger that. Let’s keep this ticket open until you have a chance to give it another try.