Delegated authentication: Generic OAuth2 invalid_client through CAS but not curl
60 views
Skip to first unread message
Simon O'Toole
Apr 14, 2021, 5:38:16 AM4/14/21
to CAS Community
Hi,
I am trying to set up a delegated authn to a generic OAuth2 server and am running into problems.
When I access the external server through curl (with the cas.properties below), I can authenticate, get an access token and then the user profile with no problem.
When I try through CAS 5.3.14, I get this error:
Caused by: com.github.scribejava.core.model.OAuth2AccessTokenErrorResponse: {"error": "invalid_client"}
at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.generateError(OAuth2AccessTokenJsonExtractor.java:75) ~[scribejava-co
re-5.6.0.jar!/:?]
at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.extract(OAuth2AccessTokenJsonExtractor.java:46) ~[scribejava-core-5.6
.0.jar!/:?]
at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.extract(OAuth2AccessTokenJsonExtractor.java:16) ~[scribejava-core-5.6
.0.jar!/:?]
at com.github.scribejava.core.oauth.OAuth20Service.sendAccessTokenRequestSync(OAuth20Service.java:44) ~[scribejava-core-5.6.0.jar!/:?]
at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:80) ~[scribejava-core-5.6.0.jar!/:?]
at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:73) ~[scribejava-core-5.6.0.jar!/:?]
at org.pac4j.oauth.credentials.authenticator.OAuth20Authenticator.retrieveAccessToken(OAuth20Authenticator.java:34) ~[pac4j-oauth-3.6.1.jar!/
:?]
at org.pac4j.oauth.credentials.authenticator.OAuthAuthenticator.validate(OAuthAuthenticator.java:38) ~[pac4j-oauth-3.6.1.jar!/:?]
... 105 more
This leads to a bunch of other exceptions. Does anyone have any idea why this would be? Why can I get an access token with this curl command:
curl --location --request POST 'https://auth.mwatelescope.org/oauth/token' \
--form 'code="<VALID_CODE>"' \
--form 'grant_type="authorization_code"' \
--form 'redirect_uri="https://dev.datacentral.org.au/cas/login?client_name=<CLIENT_NAME>"' \
--form 'scope="profile"' \
--form 'client_id="<CLIENT_ID>"' \
--form 'client_secret="<CLIENT_SECRET>"'
--form 'code="<VALID_CODE>"' \
--form 'grant_type="authorization_code"' \
--form 'redirect_uri="https://dev.datacentral.org.au/cas/login?client_name=<CLIENT_NAME>"' \
--form 'scope="profile"' \
--form 'client_id="<CLIENT_ID>"' \
--form 'client_secret="<CLIENT_SECRET>"'
But not with CAS?
Here is the relevant part of my cas.properties:
# OAuth2.0 client delegation for MWA ASVO
cas.authn.pac4j.oauth2[0].authUrl=https://auth.mwatelescope.org/oauth/authorize
cas.authn.pac4j.oauth2[0].tokenUrl=https://auth.mwatelescope.org/oauth/token
cas.authn.pac4j.oauth2[0].profileUrl=https://auth.mwatelescope.org/api/me
cas.authn.pac4j.oauth2[0].profileVerb=GET
cas.authn.pac4j.oauth2[0].id=<CLIENT_ID>
cas.authn.pac4j.oauth2[0].secret=<CLIENT_SECRET>
cas.authn.pac4j.oauth2[0].clientName=<CLIENT_NAME>
cas.authn.pac4j.oauth2[0].customParams.scope=profile
Thanks for any ideas!
Simon
Reply all
Reply to author
Forward
0 new messages