OIDC error unknown client

[Pierre Lemay]

Hi,

I am configuring my first GCS Endpoint with OIDC, both with their own domain. Everything seams fine, but I cannot login with my IdP. I always get an « unauthorized_client, unknown client » error.

I used « globus-connect-server oidc create » to create my IdP, with no error. It works : https://auth.dtn.dev.valeria.science/.well-known/openid-configuration

But « globus-connect-server oidc show » shows a client id in the clients section, instead of an empty object as shown in the documentation, and the login url request shows a different id. I suspect that is my problem, but I cannot find anything relevant how to fix it. I read most of the doc already.

Any clue on what I might have done wrong ?

Thanks.

[Dan Powers]

Hi Pierre,

The error you report generally means that the Globus service has an identity provider registration for your OIDC domain that doesn't match your current OIDC service configuration. One of the most common ways that this can happen is if the 'globus-connect-server oidc create' command is run a second time, after an instance of the Globus OIDC service has already been created for a given domain, using the same domain as was used in a previous Globus OIDC service deployment. You'll generally need to reach out to Globus support to resolve issues such at this. As you already have a ticket open with us regarding this issue, we'll be able to address this further there.

-Dan Powers

[Pierre Lemay]

Hello,

« ... the 'globus-connect-server oidc create' command is run a second time ... » That is exactly what happened. I re-used an existing Endpoint, to re-use its DNS entries and certificates, and re-create the rest. Including the OIDC service.

Thanks for your help

Pierre