Client credential issue

47 views
Skip to first unread message

Dan

unread,
Nov 2, 2020, 4:27:39 PM11/2/20
to Pac4j users mailing list
Spring Security Pac4J 4.0.3

Trying to secure a WS endpoint in a web app with header client. Created a Service app on okta site and a custom scope, plugged in the client id and secret to the OidcConfig.

<bean id="UserInfoOidcAuthenticator" class="org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator">
<property name="configuration" ref="diectClientOidcConfiguration" />
</bean>

Was able to get the access token by posting to okta token endpoint using curl with bearer code and client_credential grant type and scope info.

A get to the WS url in postman with bearer basic access token result in 500, the debug is as follows,  I couldn't figure out what is wrong, is on the pac4j config or okta site app set up?

2020-11-02 17:24:12 DEBUG org.pac4j.core.engine.DefaultSecurityLogic === SECURITY === 
2020-11-02 17:24:12 DEBUG org.pac4j.core.engine.DefaultSecurityLogic url: http://company.org/appcontext/app/actions/url?empId=38784 
2020-11-02 17:24:12 DEBUG org.pac4j.core.engine.DefaultSecurityLogic matchers: null 2020-11-02 17:24:12 DEBUG org.pac4j.core.engine.DefaultSecurityLogic clients: HeaderClient 
2020-11-02 17:24:12 DEBUG org.pac4j.core.client.finder.DefaultSecurityClientFinder Provided clientNames: HeaderClient 
2020-11-02 17:24:12 DEBUG org.pac4j.core.client.finder.DefaultSecurityClientFinder clientNameOnRequest: Optional.empty 
2020-11-02 17:24:12 DEBUG org.pac4j.core.client.finder.DefaultSecurityClientFinder result: [HeaderClient] 
2020-11-02 17:24:12 DEBUG org.pac4j.core.engine.DefaultSecurityLogic currentClients: [#HeaderClient# | name: HeaderClient | headerName: Authorization | prefixHeader: Bearer | extractor: org.pac4j.core.credentials.extractor.HeaderExtractor@30a4f455 | authenticator: org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator@775f64 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4620477d |] 
2020-11-02 17:24:12 DEBUG org.pac4j.core.engine.DefaultSecurityLogic loadProfilesFromSession: false 
2020-11-02 17:24:12 DEBUG org.pac4j.core.engine.DefaultSecurityLogic profiles: [] 
2020-11-02 17:24:12 DEBUG org.pac4j.core.engine.DefaultSecurityLogic Performing authentication for direct client: #HeaderClient# | name: HeaderClient | headerName: Authorization | prefixHeader: Bearer | extractor: org.pac4j.core.credentials.extractor.HeaderExtractor@30a4f455 | authenticator: org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator@775f64 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@4620477d | 
2020-11-02 17:24:12 DEBUG org.pac4j.oidc.profile.OidcProfile adding => key: access_token / value: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx / class com.nimbusds.oauth2.sdk.token.BearerAccessToken 
2020-11-02 17:24:12 DEBUG org.pac4j.oidc.profile.OidcProfile adding => key: expiration / value: 2020-11-02T16:24:12.716-0500 / class java.util.Date 
2020-11-02 17:24:13 DEBUG org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator Token response: status=403, content=null 
2020-11-02 17:24:13 ERROR org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator Bad User Info response, error={error_description=The access token provided does not contain the required scopes., error=insufficient_scope} 
2020-11-02 17:24:13 DEBUG org.pac4j.http.client.direct.HeaderClient Credentials validation took: 294 ms  


Dan

unread,
Nov 2, 2020, 4:28:38 PM11/2/20
to Pac4j users mailing list

In postman, I got the following stacktrace:

The server encountered an unexpected condition that prevented it from fulfilling the request.
    </p>
    <p><b>Exception</b></p>
    <pre>org.pac4j.core.exception.TechnicalException: javax.naming.AuthenticationException
    org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator.fetchOidcProfile(UserInfoOidcAuthenticator.java:98)
    org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator.validate(UserInfoOidcAuthenticator.java:62)
    org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator.validate(UserInfoOidcAuthenticator.java:37)
    org.pac4j.core.client.BaseClient.lambda$retrieveCredentials$0(BaseClient.java:70)
    java.util.Optional.ifPresent(Optional.java:159)
    org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:67)
    org.pac4j.core.client.DirectClient.getCredentials(DirectClient.java:42)
    org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:119)
    org.pac4j.springframework.security.web.SecurityFilter.doFilter(SecurityFilter.java:72)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
    org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
</pre>
    <p><b>Root Cause</b></p>
    <pre>javax.naming.AuthenticationException
    org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator.fetchOidcProfile(UserInfoOidcAuthenticator.java:86)
    org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator.validate(UserInfoOidcAuthenticator.java:62)
    org.pac4j.oidc.credentials.authenticator.UserInfoOidcAuthenticator.validate(UserInfoOidcAuthenticator.java:37)
    org.pac4j.core.client.BaseClient.lambda$retrieveCredentials$0(BaseClient.java:70)
    java.util.Optional.ifPresent(Optional.java:159)
    org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:67)
    org.pac4j.core.client.DirectClient.getCredentials(DirectClient.java:42)
    org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:119)
    org.pac4j.springframework.security.web.SecurityFilter.doFilter(SecurityFilter.java:72)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92)
    org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
    org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
</pre>
    <p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p>
    <hr class="line" />
    <h3>Apache Tomcat/8.5.59</h3>
</body>

Dan

unread,
Nov 2, 2020, 4:36:21 PM11/2/20
to Pac4j users mailing list
Also if I don't create a custom scope on the authorization server,   when I post to token endpoint, it would complain "no default scope"

Jérôme LELEU

unread,
Nov 4, 2020, 3:34:01 AM11/4/20
to Dan, Pac4j users mailing list
Hi,

You should do some debugging in the userInfoHttpRequest.send(); method to see the real HTTP request sent to the server.
Thanks.
Best regards,
Jérôme


--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/0aaabc86-1bc4-417f-b12e-4ee63ac22ae1n%40googlegroups.com.

Dan

unread,
Nov 4, 2020, 10:22:31 AM11/4/20
to Pac4j users mailing list
I did put in the debug for that class, there is no log outputting from that as you seen in my previous thread.  I went into those classes, not seeing any debug statement in the source.   Which side is the wrong here, okta scope setting or the app pac4j config ?

Jérôme LELEU

unread,
Nov 4, 2020, 10:29:58 AM11/4/20
to Dan, Pac4j users mailing list
Hi,

I mean: put a breakpoint and see the code inside.

There is a this.toHttpURLConnection(); method which builds the URL. Inspect the variables and its value...

Thanks.
Best regards,
Jérôme


To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/78f12a77-1ca8-4c64-825e-ff2f10531cd5n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages