Comments (8)
Here is the relevant line from the error log
2021/12/08 16:29:25 [error] 21314#21314: *2 js: OIDC error from IdP when sending authorization code: invalid_client, Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.
Check your client authentication settings.
from nginx-openid-connect.
Hi @lcrilly,
Thank for the response
Yes, but from the request above, it is sending the wrong Client ID and Secret (the default Client ID and Secret wasn't sanitized in my logs, only the hostnames and actual Client ID/Secret) to my IDP
2021/12/08 16:29:25 [debug] 21314#21314: *2 http proxy header:
"POST /oxauth/restv1/token HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Host: sso.company.com
Connection: close
Content-Length: 175
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Encoding: gzip, deflate, br
Accept-Language: en-SG,en;q=0.9
Cookie: auth_redir=/htvar/ugly.jsp; auth_nonce=85e6aa6169ae466048c5672482f4d03d
grant_type=authorization_code&client_id=my-client-id&code=b8bbd874-6eab-4282-b755-8501025ba68e&client_secret=my-client-secret&redirect_uri=https://rp.company.com:443/_codexch"
This seems to be from the default mappings
...
map $uri $oidc_client {
~^/htvar/(.*)$ client-id-aaa;
default "my-client-id";
}
...
map $uri $oidc_client_secret {
~^/htvar/(.*)$ "client-secret-aaa";
default "my-client-secret";
}
...
The logs on my IDP side is also showing the invalid client id
2021-12-08 16:29:25,964 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.service.ClientService] (ClientService.java:136) - Found 0 entries for client id = my-client-id
2021-12-08 16:29:25,964 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:109) - Starting token endpoint authentication
2021-12-08 16:29:25,965 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:125) - Starting POST Auth token endpoint authentication
2021-12-08 16:29:25,965 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.auth.AuthenticationFilter] (AuthenticationFilter.java:331) - requireAuth: 'true'
2021-12-08 16:29:25,967 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.service.ClientService] (ClientService.java:136) - Found 0 entries for client id = my-client-id
2021-12-08 16:29:25,968 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:68) - Looking for the error with id: invalid_client
2021-12-08 16:29:25,968 DEBUG [qtp1590550415-6994] [org.gluu.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:73) - Found error, id: invalid_client
from nginx-openid-connect.
Hi @wongkeewee , thanks for reporting that issue in that detail! That definitely helped us to investigate the issue.
As the variable value assigned by a map
will be assigned once the variable is used in the Nginx configuration (different from the set
directive ) the oidc_client
variable will be set correctly to your desired value client-id-aaa
as the uri
of your initial request is /htvar/ugly.jsp
. BUT as soon as our OIDC implementation hits the _token location, due to an internal subrequest, the uri
changes and the value will be reassigned to the default one. This can be tracked down in the logs as well:
Before the subrequest:
2021/12/08 16:29:25 [debug] 21314#21314: *2 http process request line
2021/12/08 16:29:25 [debug] 21314#21314: *2 http request line: "GET /htvar/ugly.jsp HTTP/1.1"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http uri: "/htvar/ugly.jsp"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http args: ""
2021/12/08 16:29:25 [debug] 21314#21314: *2 http exten: "jsp"
....
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map started
2021/12/08 16:29:25 [debug] 21314#21314: *2 http script var: "/htvar/ugly.jsp"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map: "/htvar/ugly.jsp" "client-id-aaa"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map started
After the subrequest to _token
2021/12/08 16:29:25 [debug] 21314#21314: *2 test location: "_token"
2021/12/08 16:29:25 [debug] 21314#21314: *2 using configuration "=/_token"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http cl:-1 max:1048576
2021/12/08 16:29:25 [debug] 21314#21314: *2 rewrite phase: 3
2021/12/08 16:29:25 [debug] 21314#21314: *2 post rewrite phase: 4
....
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map started
2021/12/08 16:29:25 [debug] 21314#21314: *2 http script var: "/_token"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map: "/_token" "my-client-id"
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map started
2021/12/08 16:29:25 [debug] 21314#21314: *2 http map started
As you can see, the value of your client-id had been changed as the value of uri
had been changed as well.
I have created a small fix for this problem but need to test it or kindly ask you to give it a try. The solution is, we have to make sure the uri
is kind of fixed to the value before the internal subrequest.
#js_var can hold variable values even over the boundaries of sub requests.
#presist the value of `uri` to make it available to the map in the subrequest.
js_var $ruri $uri;
map $ruri $oidc_client {
/test "oidc-test-realm";
/aaa "oidc-aaa-realm";
default "oidc-default";
}
server {
listen 9001;
location / {
js_content oidc.test;
}
location /_token {
internal;
return 200 $oidc_client;
}
}
As you can see, I have just introduced another variable ruri
set by js_var
. Use the newly created variable ruri
in the map. My test proved it will then use the original URI to lookup the map.
$ curl 127.1:9001/test
oidc-test-realm
Let me know if this works for you.
Cheers Timo
from nginx-openid-connect.
Hi @tippexs,
Thanks for the response!
Finally got a chance to test this out after the meltdown for past couple of days.
I've configured the js_var
and $ruri
in the openid_connect_configuration.conf
file:
#js_var can hold variable values even over the boundaries of sub requests.
#presist the value of `uri` to make it available to the map in the subrequest.
js_var $ruri $uri;
...
map $ruri $oidc_client {
~^/htvar/(.*)$ "client-id-aaa";
default "my-client-id";
}
map $ruri $oidc_client_secret {
~^/htvar/(.*)$ "client-secret-aaa";
default "my-client-secret";
}
map $ruri $oidc_scopes {
~^/htvar/(.*)$ "openid+profile+email+user_name+user_role+user_type";
default "openid+profile+email+offline_access";
}
However, the _codexch is still throwing the same error and the IDP is still seeing my-client-id
Did I apply the configuration in the correct place, ie openid_connect_configuration.conf
Or is the $ruri
variable overwritten everytime there is a new request and I should put the js_var $ruri $uri;
line somewhere else?
from nginx-openid-connect.
Hi @tippexs,
I have configured the $ruri variable in our conf file, but the $ruri is still picking up the current URI and not mapping to the correct configuration.
Is there a specific location i need to place the js_var $ruri $uri;
configuration?
from nginx-openid-connect.
The js_var $ruri $uri;
can be set anywhere in the http
context of your configuration. Can you please share the debug log one more time. If possible upload it to a GIST and share the link here. As debug logs can become quite large. Thanks
from nginx-openid-connect.
Hi @tippexs,
I have configured openid_connect_configuration.conf
as follows:
# OpenID Connect configuration
#
# Each map block allows multiple values so that multiple IdPs can be supported,
# the $host variable is used as the default input parameter but can be changed.
#
#js_var can hold variable values even over the boundaries of sub requests.
#presist the value of `uri` to make it available to the map in the subrequest.
js_var $ruri $uri;
map $host $oidc_authz_endpoint {
rp.minkhang.com https://gluu-ppl.azlabs.sg/oxauth/restv1/authorize;
default "http://gluu-ppl.azlabs.sg/oxauth/restv1/authorize";
#www.example.com "https://my-idp/oauth2/v1/authorize";
}
map $host $oidc_token_endpoint {
rp.minkhang.com https://gluu-ppl.azlabs.sg/oxauth/restv1/token;
default "https://gluu-ppl.azlabs.sg/oxauth/restv1/token";
}
map $host $oidc_jwt_keyfile {
rp.minkhang.com https://gluu-ppl.azlabs.sg/oxauth/restv1/jwks;
default "http://gluu-ppl.azlabs.sg/oxauth/restv1/jwks";
}
#map $host $oidc_client {
map $ruri $oidc_client {
~^/htvar/(.*)$ "client-id-aaa";
#rp.minkhang.com "client-id-aaa";
default "my-client-id";
}
map $host $oidc_pkce_enable {
default 0;
}
#map $host $oidc_client_secret {
map $ruri $oidc_client_secret {
~^/htvar/(.*)$ "client-secret-aaa";
#rp.minkhang.com "client-secret-aaa";
default "my-client-secret";
}
#map $host $oidc_scopes {
map $ruri $oidc_scopes {
~^/htvar/(.*)$ "openid+profile+email+user_name+user_role+user_type";
#rp.minkhang.com "openid+profile+email+user_name+user_role+user_type";
default "openid+profile+email+offline_access";
}
map $host $oidc_logout_redirect {
# Where to send browser after requesting /logout location. This can be
# replaced with a custom logout page, or complete URL.
rp.minkhang.com "https://gluu-ppl.azlabs.sg/oxauth/restv1/end_session?post_logout_redirect_uri=https%3A%2F%2Frp.minkhang.com%2Fhtvar%2F";
default "/_logout"; # Built-in, simple logout page
}
map $host $oidc_hmac_key {
rp.minkhang.com sV5IAum4OrMNpOs2rK4EfMLF;
# This should be unique for every NGINX instance/cluster
default "ChangeMe";
}
map $proto $oidc_cookie_flags {
http "Path=/; SameSite=lax;"; # For HTTP/plaintext testing
https "Path=/; SameSite=lax; HttpOnly; Secure;"; # Production recommendation
}
map $http_x_forwarded_port $redirect_base {
"" $proto://$host:$server_port;
default $proto://$host:$http_x_forwarded_port;
}
map $http_x_forwarded_proto $proto {
"" $scheme;
default $http_x_forwarded_proto;
}
# ADVANCED CONFIGURATION BELOW THIS LINE
# Additional advanced configuration (server context) in openid_connect.server_conf
# JWK Set will be fetched from $oidc_jwks_uri and cached here - ensure writable by nginx user
proxy_cache_path /var/cache/nginx/jwk levels=1 keys_zone=jwk:64k max_size=1m;
# Change timeout values to at least the validity period of each token type
keyval_zone zone=oidc_id_tokens:1M state=conf.d/oidc_id_tokens.json timeout=1h;
keyval_zone zone=refresh_tokens:1M state=conf.d/refresh_tokens.json timeout=8h;
keyval_zone zone=oidc_pkce:128K timeout=90s; # Temporary storage for PKCE code verifier.
keyval $cookie_auth_token $session_jwt zone=oidc_id_tokens; # Exchange cookie for JWT
keyval $cookie_auth_token $refresh_token zone=refresh_tokens; # Exchange cookie for refresh token
keyval $request_id $new_session zone=oidc_id_tokens; # For initial session creation
keyval $request_id $new_refresh zone=refresh_tokens; # ''
keyval $pkce_id $pkce_code_verifier zone=oidc_pkce;
auth_jwt_claim_set $jwt_audience aud; # In case aud is an array
js_import oidc from conf.d/openid_connect.js;
# vim: syntax=nginx
The debug logs are shared here https://drive.google.com/file/d/18g1K44cQeiAO50E4pOFsxBNl5v4rts7T/view?usp=sharing
It looks like the URI are not persisted across the OIDC call
2022/02/03 14:55:59 [debug] 19699#19699: *12 http map started
2022/02/03 14:55:59 [debug] 19699#19699: *12 http script var: "/_codexch"
2022/02/03 14:55:59 [debug] 19699#19699: *12 http script var: "/_codexch"
2022/02/03 14:55:59 [debug] 19699#19699: *12 http map: "/_codexch" "my-client-secret"
from nginx-openid-connect.
Hi @tippexs,
Are you able to advise based on the logs provided?
from nginx-openid-connect.
Related Issues (20)
- How to change redirect_base variable on Nginx side without affecting authorization flow? HOT 4
- Setting a state variable HOT 6
- Return 401 instead of redirecting to authorize endpoint HOT 2
- Add certificate‑bound access tokens support to this OIDC Reference Implementation
- Questions about [NginxPlus + nginx-openid-connect] proxy use on the intranet HOT 3
- Capture access token from IdP HOT 2
- access token and new endpoints (/login, /userinfo, /v2/logout)
- Configuration script: user info and end session endpoint HOT 1
- Docs: access token and new endpoints (/login, /userinfo, /v2/logout)
- Error in configure script when supplying secret HOT 1
- Allow extra args to be provided to the OIDC auth endpoint
- Add access token support
- Add OIDC end session endpoint and custom query params
- Add OIDC landing page for NGINX to redirect after successful OIDC login
- Add OIDC userinfo endpoint for User-Agent to obtain claims about End-User
- Enhance custom query params for OIDC authZ endpoint
- update documentation - Azure AD IdP HOT 2
- Loop 302 after expire access token HOT 5
- Issue with special character handling in redirect URI after authentication
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nginx-openid-connect.