openid_connect icon indicating copy to clipboard operation
openid_connect copied to clipboard

Published 20 hours ago verified publisher icon DockYard

Code-for-token request isn't authenticated

Open amalbuquerque opened this issue 5 years ago • 1 comments

Hi there :wave: First of all, thanks for this!

I'm trying to use this library locally against a mock OIDC Server (https://github.com/appvia/mock-oidc-user-server), that uses the node-oidc-provider under the hood.

What I'm seeing is that the fetch_tokens/3 function doesn't do any authentication, hence the code-for-token request fails with a 401. Full error details below:

    ** (MatchError) no match of right hand side value: {:error, :fetch_tokens, %HTTPoison.Response{body: "{\"error\":\"invalid_client\",\"error_description\":\"client authentication failed\"}", headers: [{"Pragma", "no-cache"}, {"Cache-Control", "no-cache, no-store"}, {"Content-Type", "application/json; charset=utf-8"}, {"Content-Length", "77"}, {"Date", "Sat, 24 Aug 2019 11:46:30 GMT"}, {"Connection", "keep-alive"}], request: %HTTPoison.Request{body: {:form, [client_id: "my-client", client_secret: "my-secret", code: "gU9qoumrVmlaFzOe3JI6ri6KYXG", grant_type: "authorization_code", redirect_uri: "http://localhost:4003/session"]}, headers: [{"Content-Type", "application/x-www-form-urlencoded"}], method: :post, options: [], params: %{}, url: "http://oidc:9090/token"}, request_url: "http://oidc:9090/token", status_code: 401}}

If I change the headers set by the fetch_tokens/3 function like this:

+    basic_auth = Base.encode64("my-client:my-secret")

    headers = [
      {"Content-Type", "application/x-www-form-urlencoded"},
+     {"Authorization", "Basic #{basic_auth}"},
    ]

The fetch_tokens/3 function works as expected.

Since the OIDC specifies that this request should be authenticated, using HTTP Basic or JWT-based authentication, isn't this missing from this library?

I'll open a PR to fix this if it's needed, I'd just like to confirm this with you first.

Thanks in advance :raised_hands:

amalbuquerque avatar Aug 24 '19 12:08 amalbuquerque

Tried to use Auth0 instead of the node-oidc-provider-based mock server and it worked as expected, since Auth0 accepts the client credentials on the HTTP POST body, as this library does.

However, from what I've read (e.g. https://connect2id.com/learn/openid-connect#example-auth-code-flow-step-2) this request can also be authenticated with other strategies. Do you want to support the HTTP Basic auth approach here?

amalbuquerque avatar Aug 26 '19 21:08 amalbuquerque