Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERROR Wrong authentication method used: client_secret_post != client_secret_basic #834

Open
MohammedAdain opened this issue Nov 21, 2022 · 6 comments
Open

ERROR Wrong authentication method used: client_secret_post != client_secret_basic #834

MohammedAdain opened this issue Nov 21, 2022 · 6 comments
Labels
usage-question

Comments

@MohammedAdain
Copy link

MohammedAdain commented Nov 21, 2022
edited
Loading

Hi folks,
I am getting the following error:

2022-11-21 20:21:48,524 oicServer:INFO callback: <bound method Application.authorization of <__main__.Application object at 0x7fa988881550>>
2022-11-21 20:21:48,524 oic.oauth2.provider:DEBUG Request: 'scope=openid&state=xl6_ArkZXwcaNye9jUVT7cNEZMj27CjYuMtPBw9Bof8.S4sFPxeqUEU.account-console&response_type=code&client_id=queZ1CfswSlp&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=wNMLDnKaQ5IJfX-kE9pTpA'
2022-11-21 20:21:48,525 oic.oic:DEBUG Found 2 verify keys
2022-11-21 20:21:48,527 oic.oauth2.provider:DEBUG AuthzRequest: {'scope': 'openid', 'state': 'xl6_ArkZXwcaNye9jUVT7cNEZMj27CjYuMtPBw9Bof8.S4sFPxeqUEU.account-console', 'response_type': 'code', 'client_id': 'queZ1CfswSlp', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'nonce': 'wNMLDnKaQ5IJfX-kE9pTpA'}
2022-11-21 20:21:48,531 oic.oic.provider:INFO authorization_request: {'scope': 'openid', 'state': 'xl6_ArkZXwcaNye9jUVT7cNEZMj27CjYuMtPBw9Bof8.S4sFPxeqUEU.account-console', 'response_type': 'code', 'client_id': 'queZ1CfswSlp', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'nonce': 'wNMLDnKaQ5IJfX-kE9pTpA'}
2022-11-21 20:21:48,533 oic.utils.authn.user:DEBUG kwargs: {'authorization': '<REDACTED>', 'max_age': 0}
2022-11-21 20:21:48,536 oic.oauth2.provider:INFO No active authentication
2022-11-21 20:21:48,536 oic.oic.provider:DEBUG - authenticated -
2022-11-21 20:21:48,536 oic.oic.provider:DEBUG AREQ keys: ['scope', 'state', 'response_type', 'client_id', 'redirect_uri', 'nonce']
2022-11-21 20:21:48,539 oic.utils.sdb:DEBUG uid2sid: {'upper': ['d86e89a34fd25e919fd21ec8af1d3f07e386b370aad8da3d4fc09123', 'b9f87baac70f7a7d7bc7d9674c0d414eede5324c0288687d5dae948e', 'f5c395141aa2f3057a63511bb9eb13bfc1d0f8a5da485f1938cce12f', '9eda0cf2b93531d111efbfb0bfbe591b4ff84b36889903196235aba0', '1a8e025e830aaea39e84076db889c69a7293ac523900aedc1b07a3b8', 'a33ac7efd0369524fdbd4b6a9557729e531b48deb1bcf59c5aa8a16c', '6e875ca8d00c37787e2a4881bcb7ac49f701480b71d6c50744c17a72', 'e2041a8117e6bdaba64fb13e2fec8513a8b0a6cb30e03214d8a0b158', 'e397df0e4f5f90c8ce33f27484e351298f1d8301deaec2b1338aa320', 'd992cc075f800abefd4cab9c02333a11da4069e6855f2572fcfc69c7', 'f309faf447c416c52b628304c93cff182ee3385341f3d4d486da500f', '393837e111802df8d32923bec554521caa54cf61be53dbe5c0a4786c', '7baf18a22e7c3b17e5e86258ce1797cedaba81b2dbda261f4d028c17', 'e48f574fa9ba97cbb968ca31888ed3422427f22645ea177b3a6e7dba'], 'diana': ['801e3f119f0f6967349dc43ef07c008d358f42916dbd5859d82aff7f', 'aaea2096c3222760f06a4aa2afb4805c4b7bd068fe9674cf0d969e5f', '6648150adccba654e8ab27ff24f6e5bee158f827d2f4932dd9d0c8cd']}
2022-11-21 20:21:48,539 oic.oauth2.provider:DEBUG - in authenticated() -
2022-11-21 20:21:48,539 oic.oauth2.provider:DEBUG response type: ['code']
2022-11-21 20:21:48,543 oic.oic.provider:INFO authorization response: {'state': 'xl6_ArkZXwcaNye9jUVT7cNEZMj27CjYuMtPBw9Bof8.S4sFPxeqUEU.account-console', 'scope': 'openid', 'code': '<REDACTED>', 'iss': 'http://adain-dev-aps1.workspaces.corp.win.ia55.net:8041/', 'client_id': 'queZ1CfswSlp'}
2022-11-21 20:21:48,543 oic.oic.provider:DEBUG Redirected to: 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint?state=xl6_ArkZXwcaNye9jUVT7cNEZMj27CjYuMtPBw9Bof8.S4sFPxeqUEU.account-console&scope=openid&code=<REDACTED>&iss=http%3A%2F%2Fadain-dev-aps1.workspaces.corp.win.ia55.net%3A8041%2F&client_id=queZ1CfswSlp' :: <class 'str'>
2022-11-21 20:21:48,928 oicServer:INFO PATH: "token"
2022-11-21 20:21:48,928 oicServer:INFO callback: <bound method Application.token of <__main__.Application object at 0x7fa988881550>>
2022-11-21 20:21:48,928 oic.oic.provider:DEBUG - token -
2022-11-21 20:21:48,928 oic.oic.provider:INFO token_request: code=<REDACTED>&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&client_secret=<REDACTED>&client_id=queZ1CfswSlp
2022-11-21 20:21:48,928 oic.oic.provider:DEBUG AccessTokenRequest: {'grant_type': 'authorization_code', 'code': '<REDACTED>', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'client_secret': '<REDACTED>', 'client_id': 'queZ1CfswSlp'}
2022-11-21 20:21:48,928 oic.utils.authn.client:DEBUG REQ: {'grant_type': 'authorization_code', 'code': '<REDACTED>', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'client_secret': '<REDACTED>', 'client_id': 'queZ1CfswSlp'}
2022-11-21 20:21:48,929 oic.utils.authn.client:DEBUG Verified Client ID: queZ1CfswSlp
2022-11-21 20:21:48,931 oic.utils.authn.client:ERROR Wrong authentication method used: client_secret_post != client_secret_basic
2022-11-21 20:21:48,932 oic.oic.provider:ERROR Failed to verify client due to: Wrong authentication method used
2022-11-21 20:21:48,932 oic.oic.provider:ERROR No client_id, authentication failed

I have configured Keycloak as my RP.
Settings on Keycloak
image
I am using op2 under the examples as my op serverhttps://github.com/OpenIDC/pyoidc/tree/master/oidc_example/op2
Not sure why I am getting this error even though I have specified Client Secret Basic on Keycloak.
Any help here appreciated.
Also if someone can help me with examples where we verify the users based on the contents of the users is appreciated too.

Thanks
@tpazderka
Copy link
Collaborator

I am not sure how you have created the client in your OP, but it looks like you are using a default configuration for authentication method (client_secret_post).

So you have to either reconfigure Keycloak to use the correct method, or change the config of the client on the OP and switch the method to client_secret_basic.

@MohammedAdain
Copy link
Author

change the config of the client on the OP and switch the method to client_secret_basic.
I tried this too, but surprisingly I end up with the exact same error

2022-11-21 22:41:29,709 oic.utils.authn.client:ERROR Wrong authentication method used: client_secret_post != client_secret_basic
2022-11-21 22:41:29,709 oic.oic.provider:ERROR Failed to verify client due to: Wrong authentication method used
2022-11-21 22:41:29,709 oic.oic.provider:ERROR No client_id, authentication failed

On further debugging, I noticed the flow ends up in the block https://github.com/OpenIDC/pyoidc/blob/master/src/oic/utils/authn/client.py#L517 which is due to authn being set as None

@tpazderka
Copy link
Collaborator

Eh, sorry. Got the order of the reported methods mixed up... This is about token endpoint and Keycloak is using client_secret_post but the OP is expecting client_secret_basic since nothing is configured.

Set token_endpoint_auth_method to client_secret_post for your client.

@MohammedAdain
Copy link
Author

Thanks @tpazderka but I don't see an option to set token_endpoint_auth_method 

python ../../src/oic/utils/client_management.py -c client_db
Enter redirect_uris one at the time, end with a blank line: 
?: https://keycloak-dev.ia55.net/realms/master/broker/pyoidc/endpoint
?: 
Enter policy_uri or just return: 
Enter logo_uri or just return: 
{'client_secret': '47f22a7d8263182dec8dc0d6e8b0030cbfc006de9a0dbd47170ea591', 'client_id': 'FlMLfaucyBKE', 'client_salt': 'VGNK8YFW', 'redirect_uris': [['https://keycloak-dev.ia55.net/realms/master/broker/pyoidc/endpoint', None]]}

Am I missing something here?

@tpazderka
Copy link
Collaborator

Yes, the shelve client script does not allow manipulation of all the attributes. So you would have to do that manually manually.

Dump the file to json via -D and edit the resulting JSON file to add the token_endpoint_auth_method and load it back via -I.

@MohammedAdain
Copy link
Author

Thanks for the inputs here, I made the change but ran into another issue after that,
after I punch in the creds(Username, Password), the OP doesn't redirect to the redirect URL instead it redirects back to /authorization endpoint.
Some logs here

/home/adain/projects/pyoidc/env/lib64/python3.7/site-packages/oic/oauth2/provider.py:229: UserWarning: ClientDatabase should be an instance of oic.utils.clientdb.BaseClientDatabase to ensure proper API.
  "ClientDatabase should be an instance of "
OC server started (iss=http://adain-dev-aps1.workspaces.corp.win.ia55.net:8041/, port=8041) 
query=scope%3Dopenid%26state%3DuC3Ti1uGKhRpoFsr_IspYog4iTjh-nRDIlRCAXLQ9ds.FP-UFhNbWiA.account-console%26response_type%3Dcode%26client_id%3DMjvXaeRpvHXj%26redirect_uri%3Dhttps%253A%252F%252Fkeycloak-dev.ia55.net%252Frealms%252Fmaster%252Fbroker%252Foidc%252Fendpoint%26nonce%3Dg5tmrTzcijE1dDuisxBSbw&acr_values=&login=upper&password=crust&form.commit=Submit

server logs

2022-11-23 13:09:39,715 oicServer:INFO PATH: "authorization"
2022-11-23 13:09:39,716 oicServer:INFO callback: <bound method Application.authorization of <__main__.Application object at 0x7f9a5f41bc90>>
2022-11-23 13:09:39,716 oic.oauth2.provider:DEBUG Request: 'scope=openid&state=Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console&response_type=code&client_id=MjvXaeRpvHXj&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=H9fDerNh7fpkyEkfJdE2Tw'
2022-11-23 13:09:39,716 oic.oic:DEBUG Found 3 verify keys
2022-11-23 13:09:39,717 oic.oauth2.provider:DEBUG AuthzRequest: {'scope': 'openid', 'state': 'Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console', 'response_type': 'code', 'client_id': 'MjvXaeRpvHXj', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'nonce': 'H9fDerNh7fpkyEkfJdE2Tw'}
2022-11-23 13:09:39,719 oic.oic.provider:INFO authorization_request: {'scope': 'openid', 'state': 'Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console', 'response_type': 'code', 'client_id': 'MjvXaeRpvHXj', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'nonce': 'H9fDerNh7fpkyEkfJdE2Tw'}
2022-11-23 13:09:39,720 oic.oauth2.provider:INFO No active authentication
2022-11-23 13:09:39,720 oic.utils.authn.user:INFO do_authentication argv: {'password': '<REDACTED>', 'action': 'http://adain-dev-aps1.workspaces.corp.win.ia55.net:8041/verify', 'login': '', 'acr': '', 'policy_uri': '', 'logo_uri': '', 'tos_uri': '', 'query': 'scope=openid&state=Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console&response_type=code&client_id=MjvXaeRpvHXj&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=H9fDerNh7fpkyEkfJdE2Tw', 'title': 'User log in', 'login_title': 'Username', 'passwd_title': 'Password', 'submit_text': 'Submit', 'client_policy_title': 'Client Policy'}
2022-11-23 13:09:39,758 oicServer:INFO PATH: "css/main.css"
2022-11-23 13:09:39,758 oicServer:INFO callback: <bound method Application.css of <__main__.Application object at 0x7f9a5f41bc90>>
2022-11-23 13:09:56,461 oicServer:INFO PATH: "verify"
2022-11-23 13:09:56,461 oicServer:INFO callback: <function make_auth_verify.<locals>.auth_verify at 0x7f9a5fcae050>
2022-11-23 13:09:56,461 oic.utils.authn.user:DEBUG verify(query=scope%3Dopenid%26state%3DZm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console%26response_type%3Dcode%26client_id%3DMjvXaeRpvHXj%26redirect_uri%3Dhttps%253A%252F%252Fkeycloak-dev.ia55.net%252Frealms%252Fmaster%252Fbroker%252Foidc%252Fendpoint%26nonce%3DH9fDerNh7fpkyEkfJdE2Tw&acr_values=&login=upper&password=<REDACTED>&form.commit=Submit)
2022-11-23 13:09:56,462 oic.utils.authn.user:DEBUG dict: {'query': 'scope=openid&state=Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console&response_type=code&client_id=MjvXaeRpvHXj&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=H9fDerNh7fpkyEkfJdE2Tw', 'login': 'upper', 'password': '<REDACTED>', 'form.commit': 'Submit'}
2022-11-23 13:09:56,462 oic.utils.authn.user:DEBUG Password verification succeeded.
2022-11-23 13:09:56,464 oic.utils.authn.user:DEBUG kwargs: {'upm_answer': 'true', 'scope': ['openid'], 'state': ['Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console'], 'response_type': ['code'], 'client_id': ['MjvXaeRpvHXj'], 'redirect_uri': ['https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint'], 'nonce': ['H9fDerNh7fpkyEkfJdE2Tw']}
2022-11-23 13:09:56,481 oicServer:INFO PATH: "authorization"
2022-11-23 13:09:56,481 oicServer:INFO callback: <bound method Application.authorization of <__main__.Application object at 0x7f9a5f41bc90>>
2022-11-23 13:09:56,482 oic.oauth2.provider:DEBUG Request: 'upm_answer=true&scope=openid&state=Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console&response_type=code&client_id=MjvXaeRpvHXj&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=H9fDerNh7fpkyEkfJdE2Tw'
2022-11-23 13:09:56,482 oic.oic:DEBUG Found 3 verify keys
2022-11-23 13:09:56,484 oic.oauth2.provider:DEBUG AuthzRequest: {'upm_answer': 'true', 'scope': 'openid', 'state': 'Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console', 'response_type': 'code', 'client_id': 'MjvXaeRpvHXj', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'nonce': 'H9fDerNh7fpkyEkfJdE2Tw'}
2022-11-23 13:09:56,485 oic.oic.provider:INFO authorization_request: {'upm_answer': 'true', 'scope': 'openid', 'state': 'Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console', 'response_type': 'code', 'client_id': 'MjvXaeRpvHXj', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'nonce': 'H9fDerNh7fpkyEkfJdE2Tw'}
2022-11-23 13:09:56,487 oic.oauth2.provider:INFO No active authentication
2022-11-23 13:09:56,488 oic.utils.authn.user:INFO do_authentication argv: {'password': '<REDACTED>', 'action': 'http://adain-dev-aps1.workspaces.corp.win.ia55.net:8041/verify', 'login': '', 'acr': '', 'policy_uri': '', 'logo_uri': '', 'tos_uri': '', 'query': 'upm_answer=true&scope=openid&state=Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console&response_type=code&client_id=MjvXaeRpvHXj&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=H9fDerNh7fpkyEkfJdE2Tw', 'title': 'User log in', 'login_title': 'Username', 'passwd_title': 'Password', 'submit_text': 'Submit', 'client_policy_title': 'Client Policy'}
2022-11-23 13:09:56,517 oicServer:INFO PATH: "css/main.css"
2022-11-23 13:09:56,517 oicServer:INFO callback: <bound method Application.css of <__main__.Application object at 0x7f9a5f41bc90>>

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
usage-question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tpazderka @MohammedAdain