dex icon indicating copy to clipboard operation
dex copied to clipboard
verified publisher icon dexidp

[ldap example]Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:[email protected]\"]

Open leopku opened this issue 3 years ago • 5 comments

Preflight Checklist

  • [X] I agree to follow the Code of Conduct that this project adheres to.
  • [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • [X] I am not looking for support or already pursued the available support channels without success.

Version

2.32.0

Storage Type

SQLite

Installation Type

Binary

Expected Behavior

Success login via http://localhost:5555/

Actual Behavior

invalid_scope: Client can't request scope(s) ["audience:server:client_id:[email protected]"]

Steps To Reproduce

  1. docker-compose up -d
  2. ./bin/dex serve examples/ldap/config-ldap.yaml
  3. ./example-app
  4. login via http://127.0.0.1:5555/

Additional Information

No response

Configuration

issuer: http://127.0.0.1:5556/dex
storage:
  type: sqlite3
  config:
    file: examples/dex.db
web:
  http: 0.0.0.0:5556

connectors:
- type: ldap
  name: OpenLDAP
  id: ldap
  config:
    # The following configurations seem to work with OpenLDAP:
    #
    # 1) Plain LDAP, without TLS:
    host: localhost:389
    insecureNoSSL: true
    #
    # 2) LDAPS without certificate validation:
    #host: localhost:636
    #insecureNoSSL: false
    #insecureSkipVerify: true
    #
    # 3) LDAPS with certificate validation:
    #host: YOUR-HOSTNAME:636
    #insecureNoSSL: false
    #insecureSkipVerify: false
    #rootCAData: 'CERT'
    # ...where CERT="$( base64 -w 0 your-cert.crt )"

    # This would normally be a read-only user.
    bindDN: cn=admin,dc=example,dc=org
    bindPW: admin

    usernamePrompt: Email Address

    userSearch:
      baseDN: ou=People,dc=example,dc=org
      filter: "(objectClass=person)"
      username: mail
      # "DN" (case sensitive) is a special attribute name. It indicates that
      # this value should be taken from the entity's DN not an attribute on
      # the entity.
      idAttr: DN
      emailAttr: mail
      nameAttr: cn

    groupSearch:
      baseDN: ou=Groups,dc=example,dc=org
      filter: "(objectClass=groupOfNames)"

      userMatchers:
        # A user is a member of a group when their DN matches
        # the value of a "member" attribute on the group entity.
      - userAttr: DN
        groupAttr: member

      # The group name should be the "cn" value.
      nameAttr: cn

staticClients:
- id: example-app
  redirectURIs:
  - 'http://127.0.0.1:5555/callback'
  name: 'Example App'
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0

Logs

time="2022-06-20T08:14:01Z" level=info msg="config issuer: http://127.0.0.1:5556/dex"
time="2022-06-20T08:14:01Z" level=info msg="config storage: sqlite3"
time="2022-06-20T08:14:01Z" level=info msg="config static client: Example App"
time="2022-06-20T08:14:01Z" level=info msg="config connector: ldap"
time="2022-06-20T08:14:01Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-06-20T08:14:01Z" level=info msg="listening (http) on 0.0.0.0:5556"
time="2022-06-20T08:14:22Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:[email protected]\"]"
time="2022-06-20T08:15:30Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:[email protected]\"]"
time="2022-06-20T08:16:03Z" level=error msg="Failed to parse authorization request: Unrecognized scope(s) [\"ou=Groups,dc=example,dc=org\"]"
time="2022-06-20T08:18:00Z" level=error msg="Failed to parse authorization request: Unrecognized scope(s) [\"groups,email\"]"
time="2022-06-20T08:19:42Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:cli-app\" \"audience:server:client_id:[email protected]\"]"
time="2022-06-20T08:19:53Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:[email protected]\"]"
time="2022-06-20T08:20:02Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:[email protected]\"]"
time="2022-06-20T08:21:46Z" level=error msg="Failed to parse authorization request: Unrecognized scope(s) [\"groups,cn\"]"
time="2022-06-20T08:21:55Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:[email protected]\"]"
time="2022-06-20T08:25:02Z" level=error msg="Failed to parse authorization request: Invalid client_id (\"\")."
time="2022-06-20T08:26:18Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:[email protected]\"]"
time="2022-06-20T08:41:30Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:[email protected]\"]"
time="2022-06-20T08:41:38Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:[email protected]\"]"
time="2022-06-20T08:43:49Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:[email protected]\"]"

leopku avatar Jun 20 '22 08:06 leopku

Hello, @leopku. It seems that the problem is related with the example app and how you send a request to the Dex. Provided errors show that requests are invalid.

  1. Could you please elaborate more on which parameters you specified in the example app form?
  2. We need to see you browser queries to Dex to debug further.

nabokihms avatar Jun 20 '22 20:06 nabokihms

@nabokihms Thanks.

The example app was the original example app of dex with no changes.

leopku avatar Jun 23 '22 10:06 leopku