Client Credentials Grant and basic about simpleidserver HOT 8 CLOSED

It is normal for the Authorization header not to be used to authenticate the client because, by default, when a machine client is created, the authentication method is set to 'Client Secret Post.'
If you wish to use the Authorization header, the authentication method must be set to 'Client Secret Basic.'

from simpleidserver.

It is normal for the Authorization header not to be used to authenticate the client because, by default, when a machine client is created, the authentication method is set to 'Client Secret Post.' If you wish to use the Authorization header, the authentication method must be set to 'Client Secret Basic.'

Yes, what you said is right, but I found a problem that when I changed "authentication method "to" Client Secret Basic ", I could still request the token without changing the code of your sample m2m. Does this mean that the code using the original "Client Secret Post" mode can still request the token, is this normal?

from simpleidserver.

Indeed, there was a small issue in the OAuthClientSecretBasicAuthenticationHandler; the result was not returned. :(
The issue is now fixed in the master branch.

from simpleidserver.

Indeed, there was a small issue in the OAuthClientSecretBasicAuthenticationHandler; the result was not returned. :( The issue is now fixed in the master branch.

Thank you for your help, the problem has been solved.

from simpleidserver.

It is normal for the Authorization header not to be used to authenticate the client because, by default, when a machine client is created, the authentication method is set to 'Client Secret Post.' If you wish to use the Authorization header, the authentication method must be set to 'Client Secret Basic.'

Yes, what you said is right, but I found a problem that when I changed "authentication method "to" Client Secret Basic ", I could still request the token without changing the code of your sample m2m. Does this mean that the code using the original "Client Secret Post" mode can still request the token, is this normal?

Remember this project we discussed earlier?
https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionManagement
This project has a function to request a refresh token, which is done in basic mode:

It can be used normally before you fix the problem I mentioned, but it cannot be used after you fix it. I guess because this issue has been fixed, the project itself uses "Client secret post" for login, so there is an error when using basic request to refresh the token, the error is as follows:
""error": "invalid_client",
"error_description": "bad client credential""
Can you try it out, if there is a problem, should I change the basic mode of this project to post or should your project processing logic change?

from simpleidserver.

Hello,

This exception is thrown because the function RequestRefreshTokenAsync is using a different authentication method than the one configured in the client.
Could you please check if they are different and update the RequestRefreshTokenAsync to use the correct one?

from simpleidserver.

Hello,

This exception is thrown because the function RequestRefreshTokenAsync is using a different authentication method than the one configured in the client. Could you please check if they are different and update the RequestRefreshTokenAsync to use the correct one?

1、I found "by caught tokenClient. RequestRefreshTokenAsync" method will increase in the request header, basic logo, because the authentication client Settings is post, so you mean to increase in the request header bearerer rather than basic, But like the project we discussed earlier: ids in "https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionManagement", authentication on the client and authentication on the request refresh token do not seem to conflict. So I was wondering if the authentication method for requesting a refresh token is different from the authentication method set by the client, and I looked it up on the web and everyone seemed to be using basic instead of bearer.
2、I also tried using bearer as you said:

var rt = await HttpContext.GetTokenAsync("refresh_token");
var token = await HttpContext.GetTokenAsync("access_token");
var tokenClient = _httpClientFactory.CreateClient();
var tokenRequest = new HttpRequestMessage(HttpMethod.Post, "http://localhost:5001/master/token");
tokenRequest.Content = new FormUrlEncodedContent(new Dictionary<string, string>
{
{"client_id", "BackChannelClient"},
{"client_secret", "secret"},
{"grant_type", "refresh_token"},
{"refresh_token", rt}
});
tokenRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer",Convert.ToBase64String(Encoding.UTF8.GetBytes(token)));
var tokenResponse = await tokenClient.SendAsync(tokenRequest);

I found that the token requested in the header in this way needs to be base64 encoded again (Convert.ToBase64String(Encoding.UTF8.GetBytes(token)));) Instead of using the token directly, 5001 will report an error if the token is used directly:

System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.

from simpleidserver.

The authentication method utilized by the token endpoint is defined by the token_endpoint_auth_method property.
Further information about this property can be found in the official RFC: https://datatracker.ietf.org/doc/html/rfc7591.

It is peculiar that the client_secret is transmitted in the HTTP body by the library.
According to the RFC, this practice is not recommended, as it poses a security risk: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1.

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme

It is understandable that your code is not functioning correctly because the authorization header is incorrect. It should resemble something like this:

const string clientId = "clientid";
const string clientSecret = "clientsecret";
string basicCredentials = Convert.ToBase64String(ASCIIEncoding.ASCII.GetBytes(clientId + ":" + clientSecret));
tokenRequest.Headers.Authorization = new AuthenticationHeaderValue("Basic", basicCredentials);

from simpleidserver.