Comments (8)
It is normal for the Authorization header not to be used to authenticate the client because, by default, when a machine client is created, the authentication method is set to 'Client Secret Post.'
If you wish to use the Authorization header, the authentication method must be set to 'Client Secret Basic.'
from simpleidserver.
It is normal for the Authorization header not to be used to authenticate the client because, by default, when a machine client is created, the authentication method is set to 'Client Secret Post.' If you wish to use the Authorization header, the authentication method must be set to 'Client Secret Basic.'
Yes, what you said is right, but I found a problem that when I changed "authentication method "to" Client Secret Basic ", I could still request the token without changing the code of your sample m2m. Does this mean that the code using the original "Client Secret Post" mode can still request the token, is this normal?
from simpleidserver.
Indeed, there was a small issue in the OAuthClientSecretBasicAuthenticationHandler; the result was not returned. :(
The issue is now fixed in the master branch.
from simpleidserver.
Indeed, there was a small issue in the OAuthClientSecretBasicAuthenticationHandler; the result was not returned. :( The issue is now fixed in the master branch.
Thank you for your help, the problem has been solved.
from simpleidserver.
It is normal for the Authorization header not to be used to authenticate the client because, by default, when a machine client is created, the authentication method is set to 'Client Secret Post.' If you wish to use the Authorization header, the authentication method must be set to 'Client Secret Basic.'
Yes, what you said is right, but I found a problem that when I changed "authentication method "to" Client Secret Basic ", I could still request the token without changing the code of your sample m2m. Does this mean that the code using the original "Client Secret Post" mode can still request the token, is this normal?
Remember this project we discussed earlier?
https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionManagement
This project has a function to request a refresh token, which is done in basic mode:
It can be used normally before you fix the problem I mentioned, but it cannot be used after you fix it. I guess because this issue has been fixed, the project itself uses "Client secret post" for login, so there is an error when using basic request to refresh the token, the error is as follows:
""error": "invalid_client",
"error_description": "bad client credential""
Can you try it out, if there is a problem, should I change the basic mode of this project to post or should your project processing logic change?
from simpleidserver.
Hello,
This exception is thrown because the function RequestRefreshTokenAsync is using a different authentication method than the one configured in the client.
Could you please check if they are different and update the RequestRefreshTokenAsync to use the correct one?
from simpleidserver.
Hello,
This exception is thrown because the function RequestRefreshTokenAsync is using a different authentication method than the one configured in the client. Could you please check if they are different and update the RequestRefreshTokenAsync to use the correct one?
1、I found "by caught tokenClient. RequestRefreshTokenAsync" method will increase in the request header, basic logo, because the authentication client Settings is post, so you mean to increase in the request header bearerer rather than basic, But like the project we discussed earlier: ids in "https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/SessionManagement", authentication on the client and authentication on the request refresh token do not seem to conflict. So I was wondering if the authentication method for requesting a refresh token is different from the authentication method set by the client, and I looked it up on the web and everyone seemed to be using basic instead of bearer.
2、I also tried using bearer as you said:
var rt = await HttpContext.GetTokenAsync("refresh_token");
var token = await HttpContext.GetTokenAsync("access_token");
var tokenClient = _httpClientFactory.CreateClient();
var tokenRequest = new HttpRequestMessage(HttpMethod.Post, "http://localhost:5001/master/token");
tokenRequest.Content = new FormUrlEncodedContent(new Dictionary<string, string>
{
{"client_id", "BackChannelClient"},
{"client_secret", "secret"},
{"grant_type", "refresh_token"},
{"refresh_token", rt}
});
tokenRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer",Convert.ToBase64String(Encoding.UTF8.GetBytes(token)));
var tokenResponse = await tokenClient.SendAsync(tokenRequest);
I found that the token requested in the header in this way needs to be base64 encoded again (Convert.ToBase64String(Encoding.UTF8.GetBytes(token)));) Instead of using the token directly, 5001 will report an error if the token is used directly:
System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
from simpleidserver.
The authentication method utilized by the token endpoint is defined by the token_endpoint_auth_method
property.
Further information about this property can be found in the official RFC: https://datatracker.ietf.org/doc/html/rfc7591.
It is peculiar that the client_secret is transmitted in the HTTP body by the library.
According to the RFC, this practice is not recommended, as it poses a security risk: https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1.
Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme
It is understandable that your code is not functioning correctly because the authorization header is incorrect. It should resemble something like this:
const string clientId = "clientid";
const string clientSecret = "clientsecret";
string basicCredentials = Convert.ToBase64String(ASCIIEncoding.ASCII.GetBytes(clientId + ":" + clientSecret));
tokenRequest.Headers.Authorization = new AuthenticationHeaderValue("Basic", basicCredentials);
from simpleidserver.
Related Issues (20)
- Find the problem HOT 4
- Remember me expiration date HOT 1
- PATCH for groups returns 500 when members are updated HOT 6
- Cannot sync SCIM with Azure AD out of the box HOT 5
- Bulk updates only change string columns HOT 2
- SCIM - Support multi tenant
- SCIM - Documentation - Add 'primary' property in the addresses
- Migrate all the project to DOTNET8
- SCIM MongoDB Size must be between 0 and 16793600(16MB) HOT 1
- Find the problem HOT 18
- 参数类型不匹配 HOT 2
- LDAP tutorial HOT 2
- Can you provide a non-Entity Framework ORM, e.g. one that uses SqlSugar? HOT 4
- Retry failed commands in masstransit
- Having a postgresql problem? HOT 1
- IIS Hosting Issue - Exception in Event Log
- BulkExtensions licencing complexity HOT 3
- SCIM Notification does not contains anymore user info HOT 3
- Turn off the user logout issue HOT 3
- The example fails to run HOT 12
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from simpleidserver.