OIDC Client with Identity Server 3 not working
3,252 views
Skip to first unread message
ThomasW
Jul 28, 2016, 4:35:35 AM7/28/16
to pac4j-users
Hello,
I want to try pac4j with Spring Boot to authenticate and authorize on the Identity Server 3.
Unfortuntely, it's not working. Firstly I tried with the GoogleOidcClient Class and then with the generic OidcClient.
Unfortuntely, it's not working. Firstly I tried with the GoogleOidcClient Class and then with the generic OidcClient.
But I am getting the same error message from Identiy server 3 :
10:07 [ERR] (IdentityServer3.Core.Validation.AuthorizeRequestValidator)
client_id is missing or too long
{
"SubjectId": "unknown",
"Flow": "AuthorizationCode",
"RequestedScopes": "",
"Raw": {}
}my Code is derived from the Spring Boot Demo :
@Configuration
public class Pac4jConfig {
@Value("${salt}")
private String salt;
@Bean
public Config config() {
final OidcClient oidcClient = new OidcClient();
oidcClient.setClientID("test");
oidcClient.setSecret("6A23B244-5713-4A25-5E68-61B6B8A5E131");
oidcClient.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
oidcClient.setDiscoveryURI("http://localhost:44333/connect/authorize");
oidcClient.setScope("openid");
Map<String, String> params= new HashMap<String,String>();
params.put("subject", "90342.ASDFJWFA" );
params.put("issuer", "http://localhost:8080/openid-connect-server-webapp/" );
params.put("redirectURI", "http://localhost:8100");
Jérôme LELEU
Jul 28, 2016, 5:12:16 AM7/28/16
to ThomasW, pac4j-users
Hi,
I don't know Identity server 3, so it's hard to say what the real problem is. Maybe it does not properly support the OpenID Connect protocol.
Can you post the first url used to call the identity server? There should a client_id parameter in it.
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ThomasW
Jul 28, 2016, 6:09:53 AM7/28/16
to pac4j-users, thomas...@gmail.com
Hello Jérôme,
Thanks for the fast reply.
This is the URL which works fine with the Identity server.
Jérôme LELEU
Jul 28, 2016, 10:21:57 AM7/28/16
to ThomasW, pac4j-users
Hi,
The url looks good, except the client_secret which should never be on the authorize url! Is it the url built by the OidcClient or some url you tested manually?
Thanks.
Best regards,
Jérôme
ThomasW
Jul 29, 2016, 5:08:44 AM7/29/16
to pac4j-users, thomas...@gmail.com
Thanks for the hint about the client_secret in the authorize_url !
I tested that URL manually on the Identity Server. The Identity server accepted that link without any problems and redirected me after the successful authorization.
I hoped that pac4j for Spring Boot would also be recognized in the same way by the Identity server.
Jérôme LELEU
Jul 29, 2016, 6:11:45 AM7/29/16
to ThomasW, pac4j-users
And does it work now?
ThomasW
Jul 29, 2016, 6:56:59 AM7/29/16
to pac4j-users, thomas...@gmail.com
No still the same error messsage in Identity Server as above.
The identity server does not accept the the requests made by my OidcClient
This is the output error log from Pac4J/Spring Boot in Eclipse :
2016-07-29 12:49:20.750 ERROR 3124 --- [nio-8080-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.pac4j.core.exception.TechnicalException: com.nimbusds.oauth2.sdk.ParseException: Invalid JSON: Unexpected token <!DOCTYPE html>
<html ng-app="app" ng-csp ng-controller="LayoutCtrl">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>IdentityServer3</title>
<link href='/assets/styles.min.css' rel='stylesheet'>
.....
Misagh Moayyed
Jul 29, 2016, 10:41:16 AM7/29/16
to pac4j-users
What you need to do is:
1. Make sure your OP works with another OIDC client correctly.
2. If it does not, you know what the problem is.
3. If it does, figure out what is different in the authz requests, etc and report back.
--
Misagh
Misagh
ThomasW
Jul 29, 2016, 12:26:12 PM7/29/16
to pac4j-users
I tried with MITRE OIDC and it works fine with Identity Server.
I am using the following configuration. The difference what I see is the JwsAlgorithm. I can't set the JWEAlgorithm.RSA1_5 in pac4j.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing
infrastructure -->
<!-- Enables the Spring MVC @Controller programming model -->
<mvc:annotation-driven />
<mvc:interceptors>
<!-- Inject the UserInfo into the current context -->
<bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
</mvc:interceptors>
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
</bean>
<context:component-scan base-package="org.mitre.web" />
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>
<security:http auto-config="false" use-expressions="true"
disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint"
pattern="/**">
<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
<security:logout />
</security:http>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="http://localhost:44333/login" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="openIdConnectAuthenticationProvider" />
</security:authentication-manager>
<bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
<property name="authoritiesMapper">
<bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper">
<property name="admins" ref="namedAdmins" />
</bean>
</property>
</bean>
<util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
<bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
<constructor-arg name="subject" value="90342.ASDFJWFA" />
<constructor-arg name="issuer" value="http://localhost:8080/openid-connect-server-webapp/" />
</bean>
</util:set>
<!--
-
- The authentication filter
-
-->
<bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="issuerService" ref="staticIssuerService" />
<property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
<property name="clientConfigurationService" ref="staticClientConfigurationService" />
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
</bean>
<!--
Static issuer service, returns the same issuer for every request.
-->
<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
<property name="issuer" value="http://localhost:44333" />
</bean>
<!--
Third-party (account chooser) issuer service. Looks for the "iss" parameter on the request
and returns that as the issuer. If there is no "iss" value, redirects to the configured
account chooser URI. This URI should direct back to the login filter URL with an
"iss" value as a query parameter.
-->
<bean class="org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService" id="thirdPartyIssuerService">
<property name="accountChooserUrl" value="http://localhost:44333/login" />
</bean>
<!-- Dynamic server configuration, fetches the server's information using OIDC Discovery-->
<bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService"/>
<!-- Client Configuration: Determine which client identifier and credentials are used. -->
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
<property name="clients">
<map>
<entry key="http://localhost:44333">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientId" value="test" />
<property name="clientSecret" value="6A23B244-5713-4A25-5E68-61B6B8A5E131" />
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
<property name="redirectUris">
<set>
<value>http://localhost:44333</value>
</set>
</property>
</bean>
</entry>
</map>
</property>
</bean>
<!--
Plain authorization request builder, puts all options as query parameters on the GET request
-->
<bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />
<!--
Signed authorization request builder, puts all options as elements in a JWS-signed request object
-->
<bean class="org.mitre.openid.connect.client.service.impl.SignedAuthRequestUrlBuilder" id="signedAuthRequestUrlBuilder">
<property name="signingAndValidationService" ref="defaultSignerService" />
</bean>
<!--
Encrypted authorization request builder, puts all the options as elements in a JWE-encrypted request object
-->
<bean class="org.mitre.openid.connect.client.service.impl.EncryptedAuthRequestUrlBuilder" id="encryptedAuthRequestUrlBuilder">
<property name="encrypterService" ref="validatorCache" />
<property name="alg">
<util:constant static-field="com.nimbusds.jose.JWEAlgorithm.RSA1_5"/>
</property>
<property name="enc">
<util:constant static-field="com.nimbusds.jose.EncryptionMethod.A128GCM"/>
</property>
</bean>
<!--
This service fetches and caches JWK sets from URLs.
-->
<bean id="validatorCache" class="org.mitre.jwt.signer.service.impl.JWKSetCacheService" />
<!--
This service sets up a bunch of signers and validators based on our own keys.
Replace this keystore's contents for a production deployment.
-->
<bean id="defaultSignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
<constructor-arg name="keyStore">
<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
<property name="location" value="classpath:keystore.jwks" />
</bean>
</constructor-arg>
<property name="defaultSignerKeyId" value="rsa1" />
<property name="defaultSigningAlgorithmName" value="RS256" />
</bean>
<!--
This service publishes the client's public key on a the endpoint "jwk" off the root of this client.
-->
<bean id="clientKeyPublisher" class="org.mitre.openid.connect.client.keypublisher.ClientKeyPublisher">
<property name="jwkPublishUrl" value="jwk" />
<property name="signingAndValidationService" ref="defaultSignerService" />
</bean>
</beans>
What you need to do is:1. Make sure your OP works with another OIDC client correctly.2. If it does not, you know what the problem is.3. If it does, figure out what is different in the authz requests, etc and report back.
--
Misagh
Jérôme LELEU
Jul 30, 2016, 1:58:15 AM7/30/16
to ThomasW, pac4j-users
Hi,
You raise a good point with the OpenID Connect test. Notice the size of the configuration in both cases ;-)
Taking a look at: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java, it seems that the parameters of the authorization request could be passed as a JWT.
I will investigate and let you know.
Thanks.
Best regards,
Jérôme
Jérôme LELEU
Aug 1, 2016, 4:18:52 AM8/1/16
to ThomasW, pac4j-users
Hi,
Signed / encrypted OpenID auth requests matter mostly for mobile apps,
or JS-only apps that run in a browser, where the app provider is not in
control of the app instance, but wants to seal certain OpenID auth
request parameters. Like what scopes may be requested."
I talked with the main developer of the oauth-oidc-sdk library used for the OpenID Connect support in pac4j.
Encrypting auth request parameters is possible via the SDK, but it is not currenlty available in pac4j. That's why I opened: https://github.com/pac4j/pac4j/issues/619
Above all, here is his feedback:
"Anyway, I'm left with the impression that people may be confused about
the purpose and use of signed /encrypted requests.Signed / encrypted OpenID auth requests matter mostly for mobile apps,
or JS-only apps that run in a browser, where the app provider is not in
control of the app instance, but wants to seal certain OpenID auth
request parameters. Like what scopes may be requested."
Is it really your use case?
Thanks.
Best regards,
Jérôme
ThomasW
Aug 1, 2016, 4:46:34 AM8/1/16
to pac4j-users, thomas...@gmail.com
Hello Jérôme ,
Thanks for your answer ! I should have made my use case much clearer from the beginning but this authenication/authorization topic is also fully new to me :-)
Yes, the auth requests should be encrypted because our AngularJS based apps (mobile/web) will access my Spring-based server via REST.
And the scopes of the requests are not permitted to be changed by the client ( so auth request must be sealed).
Thank you for clarifying and opening this as an issue in Github.
Jérôme LELEU
Aug 1, 2016, 12:05:57 PM8/1/16
to ThomasW, pac4j-users
Hi,
Can you share your configuration so that I can test it exactly (Client in the Clients class)?
Thanks.
Best regards,
Jérôme
ThomasW
Aug 2, 2016, 6:06:43 AM8/2/16
to pac4j-users, thomas...@gmail.com
I only configured the servlet-context.xml file as shown above. The rest of the simple-web-app remained untouched
I attached the keystore.jwks from that simple-web-app.
{
"issuer":"http://localhost:44333",
"authorization_endpoint":"http://localhost:44333/connect/authorize",
"token_endpoint":"http://localhost:44333/connect/token",
"userinfo_endpoint":"http://localhost:44333/connect/userinfo",
"end_session_endpoint":"http://localhost:44333/connect/endsession",
"check_session_iframe":"http://localhost:44333/connect/checksession",
"revocation_endpoint":"http://localhost:44333/connect/revocation",
"introspection_endpoint":"http://localhost:44333/connect/introspect",
"frontchannel_logout_supported":true,
"frontchannel_logout_session_supported":true,
"scopes_supported":["openid","profile","email","phone","address"],
"claims_supported":"given_name","family_name","preferred_username","idp","sub","name","middle_name","nickname","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at","email","email_verified","phone_number","phone_number_verified","address"],
"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],
"response_modes_supported":["form_post","query","fragment"],
"grant_types_supported":["authorization_code","client_credentials","password","refresh_token","implicit"],
"subject_types_supported":["public"],
"id_token_signing_alg_values_supported":["RS256"],
"code_challenge_methods_supported":["plain","S256"],
"token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"]
}
The main part of the REST controller witth OIDC enhanced security from that project looks like this (I haven't changed anything for my successful connection to the Identity server) :
@Controller
public class HomeController {
private static final Logger logger = LoggerFactory.getLogger(HomeController.class);
// filter reference so we can get class names and things like that.
@Autowired
private OIDCAuthenticationFilter filter;
@Resource(name = "namedAdmins")
private Set<SubjectIssuerGrantedAuthority> admins;
/**
* Simply selects the home view to render by returning its name.
*/
@RequestMapping(value = "/", method = RequestMethod.GET)
public String home(Locale locale, Model model, Principal p) {
model.addAttribute("issuerServiceClass", filter.getIssuerService().getClass().getSimpleName());
model.addAttribute("serverConfigurationServiceClass", filter.getServerConfigurationService().getClass().getSimpleName());
model.addAttribute("clientConfigurationServiceClass", filter.getClientConfigurationService().getClass().getSimpleName());
model.addAttribute("authRequestOptionsServiceClass", filter.getAuthRequestOptionsService().getClass().getSimpleName());
model.addAttribute("authRequestUriBuilderClass", filter.getAuthRequestUrlBuilder().getClass().getSimpleName());
model.addAttribute("admins", admins);
return "home";
}
@RequestMapping("/user")
@PreAuthorize("hasRole('ROLE_USER')")
public String user(Principal p)
{ return "user"; }
....I would be very happy if I could assist you testing it
Jérôme LELEU
Aug 3, 2016, 5:11:20 AM8/3/16
to ThomasW, pac4j-users
Hi,
I restarted working on this. My first step is to migrate the current OidcClient to the pac4j IndirectClientV2 model, which means it is now based on several subcomponents, like the OidcRedirectActionBuilder which computes the authorization request url.
With this, I could create a new RedirectActionBuilder and override the way the authentication request is built (put the parameters in a JWT).
---
About the tests (on IdentityServer3 and 4), I realized I was mistaken: I get the same error as you do because my discovery url was wrong and defined with the authorized endpoint. Fixing that, I can authenticate with IdentityServer3. I have then an issue with the secret but we can forget that for now.
My configuration on SpringBoot side:
final OidcClient oidcClient = new OidcClient();
oidcClient.setName("GoogleOidcClient");
oidcClient.setClientID("test");
oidcClient.setSecret("2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b");
oidcClient.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
oidcClient.setDiscoveryURI("http://localhost:5000/.well-known/openid-configuration");
oidcClient.setScope("openid");
Can you test with the right discovery url?
Thanks.
Best regards,
Jérôme
---
By the way, my configuration on IdentityServer3:
new Client
{
ClientName = "Test Client",
ClientId = "test",
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
// server to server communication
Flow = Flows.AuthorizationCode,
RedirectUris = new List<string>
{
},
// only allowed to access api1
AllowedScopes = new List<string>
{
"openid",
"profile",
"email"
}
},
My discovery endpoint:
"api1"],"sub","name","family_name","given_name","middle_name","nickname","preferred_username",
"profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at","email","email_verified"],
ThomasW
Aug 3, 2016, 9:15:24 AM8/3/16
to pac4j-users, thomas...@gmail.com
Hello,
Thanks for the clarification ! I also changed my code to :
oidcClient.setDiscoveryURI("http://localhost:44333//.well-known/openid-configuration");
Everything else remained the same-
Unfortunately, it is not working for me. I get the following error message :
2016-08-03 15:03:57.375 DEBUG 5272 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : === SECURITY ===
2016-08-03 15:03:57.377 DEBUG 5272 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : url: http://localhost:8080/oidc/index.html
2016-08-03 15:03:57.382 DEBUG 5272 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : matchers: null
2016-08-03 15:03:57.383 DEBUG 5272 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : clients: OidcClient
2016-08-03 15:03:57.384 DEBUG 5272 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : currentClients: [#OidcClient# | name: OidcClient | callbackUrl: null | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@7d01ea96 | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@32e17a16 | redirectActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@42545c80 | configuration: #OidcConfiguration# | clientId: silicon | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid | customParams: {redirectURI=http://localhost:8100, subject=90342.ASDFJWFA, issuer=http://localhost:8080/openid-connect-server-webapp/} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: RS256 | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: null | callbackUrl: null | |]
2016-08-03 15:03:57.385 DEBUG 5272 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : loadProfilesFromSession: true
2016-08-03 15:03:57.385 DEBUG 5272 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : profiles: []
2016-08-03 15:03:57.385 DEBUG 5272 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : Starting authentication
2016-08-03 15:03:57.386 DEBUG 5272 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : requestedUrl: http://localhost:8080/oidc/index.html
2016-08-03 15:03:57.412 ERROR 5272 --- [nio-8080-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.pac4j.core.exception.TechnicalException: callbackUrl cannot be blank] with root cause
org.pac4j.core.exception.TechnicalException: callbackUrl cannot be blank
at org.pac4j.core.util.CommonHelper.assertTrue(CommonHelper.java:131) ~[classes/:na]
at org.pac4j.core.util.CommonHelper.assertNotBlank(CommonHelper.java:142) ~[classes/:na]
at org.pac4j.oidc.client.OidcClient.internalInit(OidcClient.java:92) ~[pac4j-oidc-1.9.2-SNAPSHOT.jar:na]
at org.pac4j.core.util.InitializableWebObject.init(InitializableWebObject.java:24) ~[classes/:na]
at org.pac4j.core.client.IndirectClient.getRedirectAction(IndirectClient.java:77) ~[classes/:na]
at org.pac4j.core.client.IndirectClient.redirect(IndirectClient.java:44) ~[classes/:na]
at org.pac4j.core.engine.DefaultSecurityLogic.redirectToIdentityProvider(DefaultSecurityLogic.java:252) ~[classes/:na]
at org.pac4j.core.engine.DefaultSecurityLogic.perform(DefaultSecurityLogic.java:145) ~[classes/:na]
at org.pac4j.springframework.web.SecurityInterceptor.preHandle(SecurityInterceptor.java:65) ~[spring-webmvc-pac4j-1.1.2-SNAPSHOT.jar:na]
at org.springframework.web.servlet.HandlerExecutionChain.applyPreHandle(HandlerExecutionChain.java:134) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASEJérôme LELEU
Aug 3, 2016, 9:18:19 AM8/3/16
to ThomasW, pac4j-users
I guess you didn't add the pac4j-core dependency in version 1.9.2-SNAPSHOT: is it the problem?
Message has been deleted
ThomasW
Aug 3, 2016, 9:45:40 AM8/3/16
to pac4j-users, thomas...@gmail.com
No I added it. Is there any logging settings to confirm that I use pac4j-core 1.9.2 ?
I even had a fight to add it since spring-webmvc-pac4j comes with pac4j-core version 1.9.1 ;-)
I did the following in my pom.xml to add it. And it is compiling and building without any problems in Maven :
<pac4j.version>1.9.2-SNAPSHOT</pac4j.version>
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>spring-webmvc-pac4j</artifactId>
<version>${spring-webmvc-pac4j.version}</version>
<exclusions>
<exclusion>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-core</artifactId>
<version>${pac4j.version}</version>
</dependency>
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-gae</artifactId>
<version>${pac4j.version}</version>
</dependency>
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-oauth</artifactId>
<version>${pac4j.version}</version>
</dependency>
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-openid</artifactId>
<version>${pac4j.version}</version>
</dependency>
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-oidc</artifactId>
<version>1.9.2-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-http</artifactId>
<version>${pac4j.version}</version>
</dependency>
<dependency>
<groupId>org.pac4j</groupId>
<artifactId>pac4j-jwt</artifactId>
<version>${pac4j.version}</version>
</dependency>Jérôme LELEU
Aug 3, 2016, 9:46:15 AM8/3/16
to ThomasW, pac4j-users
Do a mvn dependency:tree to be sure of your dependencies...
2016-08-03 15:41 GMT+02:00 ThomasW <thomas...@gmail.com>:
No I added it. Is there any logging settings to confirm that I use pac4j-core 1.9.2 ?
I even had a fight to add it since spring-webmvc-pac4j comes with pac4j-core version 1.9.1 ;-)I did the following in my pom.xml to add it. And it is compiling and building without any problems in Maven :
ThomasW
Aug 3, 2016, 10:00:52 AM8/3/16
to pac4j-users, thomas...@gmail.com
Thanks !
I really use 1.9.2-snapshot version of pac4j-core and pac4j-oidc :
Jérôme LELEU
Aug 3, 2016, 10:03:03 AM8/3/16
to ThomasW, pac4j-users
And you still have the "TechnicalException: callbackUrl cannot be blank" issue? What's your Config / Clients definition?
...
[Message tronqué]
ThomasW
Aug 3, 2016, 10:16:46 AM8/3/16
to pac4j-users, thomas...@gmail.com
Yes, still the same error message.
Pac4Config.java class :
@Configuration
public class Pac4jConfig {
@Value("${salt}")
private String salt;
@Bean
public Config config() {
final OidcClient oidcClient = new OidcClient();
oidcClient.setName("OidcClient");
oidcClient.setClientID("test");
oidcClient.setSecret("6A23B244-5713-4A25-5E68-61B6B8A5E131");
oidcClient.setPreferredJwsAlgorithm(JWSAlgorithm.RS256);
oidcClient.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
oidcClient.setScope("openid");
Map<String, String> redirectURI = new HashMap<String,String>();
redirectURI.put("redirectURI", "http://localhost:8100");
redirectURI.put("subject", "90342.ASDFJWFA" );
redirectURI.put("issuer", "http://localhost:8080/openid-connect-server-webapp/" );
oidcClient.setCustomParams(redirectURI);
oidcClient.setAuthorizationGenerator(profile -> profile.addRole("ROLE_ADMIN"));
// REST authent with JWT for a token passed in the url as the token parameter
ParameterClient parameterClient = new ParameterClient("token", new JwtAuthenticator(salt));
parameterClient.setSupportGetRequest(true);
parameterClient.setSupportPostRequest(false);
// basic auth
final DirectBasicAuthClient directBasicAuthClient = new DirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator());
final Config config = new Config(oidcClient);
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer("ROLE_ADMIN"));
// config.addAuthorizer("custom", new CustomAuthorizer());
return config;
}
SecurityConfig.java :
@Configuration
@ComponentScan(basePackages = "org.pac4j.springframework.web")
public class SecurityConfig extends WebMvcConfigurerAdapter {
@Autowired
private Config config;
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new SecurityInterceptor(config, "OidcClient")).addPathPatterns("/oidc/*");
registry.addInterceptor(new SecurityInterceptor(config)).addPathPatterns("/protected/*");
registry.addInterceptor(new SecurityInterceptor(config, "DirectBasicAuthClient,ParameterClient")).addPathPatterns("/dba/*");
registry.addInterceptor(new SecurityInterceptor(config, "ParameterClient")).addPathPatterns("/rest-jwt/*");
}
}
I added the keystore.jwks in resources folder
All other files are not modified in spring-webmvc-pac4j-boot-demo.
Jérôme LELEU
Aug 3, 2016, 10:35:26 AM8/3/16
to ThomasW, pac4j-users
You forgot to define the callbackUrl:
final Config config = new Config(oidcClient);
should become something like:
ThomasW
Aug 4, 2016, 5:23:43 AM8/4/16
to pac4j-users, thomas...@gmail.com
Thank you !!!
I added the callback URI but now I get this error message now :
com.nimbusds.oauth2.sdk.ParseException: Missing JSON object member with key "jwks_uri"
at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getGeneric(JSONObjectUtils.java:103) ~[oauth2-oidc-sdk-5.13.jar:5.13]
at com.nimbusds.oauth2.sdk.util.JSONObjectUtils.getURI(JSONObjectUtils.java:288) ~[oauth2-oidc-sdk-5.13.jar:5.13]
at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.parse(OIDCProviderMetadata.java:1739) ~[oauth2-oidc-sdk-5.13.jar:5.13]
at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.parse(OIDCProviderMetadata.java:2090) ~[oauth2-oidc-sdk-5.13.jar:5.13]
at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:88) ~[pac4j-oidc-1.9.2-SNAPSHOT.jar:na]
How can I set the jwks_uri ?
I tried to set the jwks_uri with the following command but it is not working :
Map<String, String> customParam= new HashMap<String,String>();
customParam.put("redirectURI", "http://localhost:8100");
customParam.put("subject", "90342.ASDFJWFA" );
customParam.put("issuer", "http://localhost:8080/openid-connect-server-webapp/" );
customParam.put("jwks_uri", "http://localhost:44333//.well-known/jwks");
oidcClient.setCustomParams(customParam);Jérôme LELEU
Aug 4, 2016, 5:29:55 AM8/4/16
to ThomasW, pac4j-users
Hi,
The problem happens during the parsing of the metadata of your identity server by the pac4j app. If you take a look at my server metadata, I have the jwks_uri (although I didn't configure anything special):
I think this is a matter of configuration on the IdentityServer3 side. I'm using this source code: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/AspNet5/src/IdentityServer
Thanks.
Best regards,
Jérôme
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
Jérôme LELEU
Aug 4, 2016, 5:52:15 AM8/4/16
to ThomasW, pac4j-users
Hi,
By the way, checking the spec (https://openid.net/specs/openid-connect-discovery-1_0.html), the jwks_uri is REQUIRED:
3. OpenID Provider Metadata
OpenID Providers have metadata describing their configuration. These OpenID Provider Metadata values are used by OpenID Connect:
- issuer
- REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.
- authorization_endpoint
- REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint [OpenID.Core].
- token_endpoint
- URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used.
- userinfo_endpoint
- RECOMMENDED. URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components.
- jwks_uri
- REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
- ....
Thanks.
Best regards,
Jérôme
ThomasW
Aug 4, 2016, 7:47:24 AM8/4/16
to pac4j-users, thomas...@gmail.com
I set the jwks_uri in Identity server.
But now I face a problem with the callbackUrl. .Did you configure the callbackUrl in Identity server explicitly ?
I set :
But in IdentityServer I get the following error message ( it seems Identityserver confuses the callbackURL with the redirectURL ):
[ERR] (IdentityServer3.Core.Validation.AuthorizeRequestValidator)
Invalid redirect_uri: http://localhost:8100/callback?client_name=OidcClient
{
"ClientId": "silicon",
"ClientName": "test",
"RedirectUri": "http://localhost:8100/callback?client_name=OidcClient",
"AllowedRedirectUris": [
"http://localhost:8100",
"http://localhost:8100/#/landing/login",
"http://localhost:8101/#/landing/login",
"http://localhost:8101",
"https://localhost:44333",
"http://localhost:44333"
],
"SubjectId": "unknown",
"Flow": "AuthorizationCode",
"RequestedScopes": "",
"Raw": {
"redirectURI": "http://localhost:8100",
"subject": "90342.ASDFJWFA",
"jwks_uri": "http://localhost:44333/.well-known/jwks",
"issuer": "http://localhost:8080/simple-web-app/login",
"response_type": "code",
"client_id": "silicon",
"redirect_uri": "http://localhost:8100/callback?client_name=OidcClient",
"scope": "openid",
Jérôme LELEU
Aug 4, 2016, 7:52:56 AM8/4/16
to ThomasW, pac4j-users
Hi,
Yes, I set the redirectUri in IdentityServer3 like the computed callbackUrl on the application side:
new Client
{
ClientName = "Test Client",
ClientId = "test",
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
// server to server communication
Flow = Flows.AuthorizationCode,
RedirectUris = new List<string>
{
},
// only allowed to access api1
AllowedScopes = new List<string>
{
"openid",
"profile",
"email"
}
},
Thanks.
Best regards,
Jérôme
--
ThomasW
Aug 4, 2016, 9:57:57 AM8/4/16
to pac4j-users, thomas...@gmail.com
Thank you very much Jérôme for your patient and good answer !
No more error messages in Spring Boot console !
I have to fiddle about the IdentityServer issue but that I will check somewhere else.
Start authorize request protocol validation
15:48 [ERR] (IdentityServer3.Core.Validation.ScopeValidator)
Invalid scope: openid
15:48 [INF] (IdentityServer3.Core.Endpoints.AuthorizeEndpointController)
End authorize request
15:48 [INF] (IdentityServer3.Core.Results.AuthorizeRedirectResult)
Redirecting to: http://localhost:8100/callback?client_name=test&error=invalid_scope&state=sQiAOTiM_PIKmUG3WT2ba54wPGzpbfxStzjP9me8nZk
Last question so far : why is clientID not being used for the redirection URL ? It would be much better to use the clientID instead of the clientName.
But this might be also a question to the IdentityServer experts.
oidcClient.setName("OidcClient"</spa
Jérôme LELEU
Aug 4, 2016, 11:36:31 AM8/4/16
to ThomasW, pac4j-users
Hi,
pac4j targets many protocols and not only OpenID Connect. The clientID is specific to OpenID Connect while the client_name is used by pac4j for all protocols (clients) to share the same callback url.
I have myself an "invalid_client" error:
[17:34:52 DBG] Start client validation
[17:34:52 DBG] Start parsing for X.509 certificate
[17:34:52 DBG] client_id is not found in post body
[17:34:52 DBG] Start parsing for secret in post body
[17:34:52 DBG] No secret in post body found
[17:34:52 DBG] Start parsing Basic Authentication secret
[17:34:52 DBG] Parser found client secret: BasicAuthenticationSecretParser
[17:34:52 INF] Client secret id found: test
[17:34:52 DBG] No matching hashed secret found.
[17:34:52 INF] Client validation failed.
[17:34:52 INF] End token request
[17:34:52 INF] Returning error: invalid_client
Can you share your configuration of the secret (on both sides)?
Thanks.
Best regards,
Jérôme
--
ThomasW
Aug 4, 2016, 12:42:04 PM8/4/16
to pac4j-users, thomas...@gmail.com
my code :
@Configuration
public class Pac4jConfig {
@Value("${salt}")
private String salt;
@Bean
public Config config() {
final OidcClient oidcClient = new OidcClient();
oidcClient.setName("test");
oidcClient.setClientID("test");
oidcClient.setSecret("6A23B244-5713-4A25-5E68-61B6B8A5E131");
oidcClient.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
oidcClient.setDiscoveryURI("http://localhost:44333//.well-known/openid-configuration");
oidcClient.setDiscoveryURI("http://localhost:44333/connect/authorize");
oidcClient.setScope("openid");
oidcClient.setAuthorizationGenerator(profile -> profile.addRole("ROLE_ADMIN"));
// REST authent with JWT for a token passed in the url as the token parameter
ParameterClient parameterClient = new ParameterClient("token", new JwtAuthenticator(salt));
parameterClient.setSupportGetRequest(true);
parameterClient.setSupportPostRequest(false);
// basic auth
final DirectBasicAuthClient directBasicAuthClient = new DirectBasicAuthClient(
new SimpleTestUsernamePasswordAuthenticator());
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer("ROLE_ADMIN"));
// config.addAuthorizer("custom", new CustomAuthorizer());
return config;
}The secret confs of IdentityServer
{"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],
"response_modes_supported":["form_post","query","fragment"],
"grant_types_supported":["authorization_code","client_credentials","password","refresh_token","implicit"],
"subject_types_supported":["public"],
"id_token_signing_alg_values_supported":["RS256"],
"code_challenge_methods_supported":["plain","S256"],
"token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"]
}
The code of IdentityServer :
ClientSecrets = new List<Secret>{ new Secret("6A23B244-5713-4A25-5E68-61B6B8A5E131".Sha256()) },|
|
server running...
18:08 [INF] (IdentityServer3.Core.Endpoints.DiscoveryEndpointController)
Start discovery request
18:08 [INF] (IdentityServer3.Core.Endpoints.AuthorizeEndpointController)
Start authorize request
18:08 [INF] (IdentityServer3.Core.Validation.AuthorizeRequestValidator)
Start authorize request protocol validation
18:08 [ERR] (IdentityServer3.Core.Validation.ScopeValidator)
Invalid scope: openid
18:08 [INF] (IdentityServer3.Core.Endpoints.AuthorizeEndpointController)
End authorize request
18:08 [INF] (IdentityServer3.Core.Results.AuthorizeRedirectResult)
Redirecting to: http://localhost:8100/callback?client_name=test&error=invalid_scope&state=PGgdiICFytixBiFXnZnAUVnpeCjiAbMItZUrS-7r3DY
Jérôme LELEU
Aug 5, 2016, 6:44:42 AM8/5/16
to ThomasW, pac4j-users
Hi,
Thanks for the hint, I was mistaken in the secret configuration. Everything works now. No customization was necessary in fact ;-)
I have done many changes around JWT and OpenID Connect supports to accept the use case we thought was needed at first (JWT signing / encryption of the authentication request parameters). I will continue to work on OpenID Connect and especially on flow supports.
Any feedback will be appreciated.
Thanks.
Best regards,
Jérôme
--
Jérôme LELEU
Aug 5, 2016, 7:33:59 AM8/5/16
to ThomasW, pac4j-users
Hi,
And finally, following this documentation: http://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/openid-connect/oidc-auth#signed-request, you would need that class to JWT your authentication request parameters:
public class CustomOidcRedirectActionBuilder extends OidcRedirectActionBuilder {
private RSAPrivateKey privateKey;
@Override
protected String buildAuthenticationRequestUrl(final Map<String, String> params) {
final RSASignatureConfiguration signatureConfiguration = new RSASignatureConfiguration();
signatureConfiguration.setPrivateKey(privateKey);
JwtGenerator jwtGenerator = new JwtGenerator(signatureConfiguration);
final Map<String, Object> claims = new HashMap<>();
claims.put(OidcConfiguration.RESPONSE_TYPE, "code");
claims.put(OidcConfiguration.SCOPE, getConfiguration().getScope());
claims.put("code_challenge_method", "S256");
final String jwt = jwtGenerator.generate(claims);
final CodeVerifier pkceVerifier = new CodeVerifier();
final CodeChallenge pkceChallenge = CodeChallenge.compute(CodeChallengeMethod.S256, pkceVerifier);
try {
return new AuthenticationRequest.Builder(
new ResponseType("code"),
new Scope(params.get(OidcConfiguration.SCOPE)),
new ClientID(getConfiguration().getClientId()),
URI.create(getConfiguration().getCallbackUrl()))
.state(new State(params.get(OidcConfiguration.STATE_SESSION_ATTRIBUTE)))
.codeChallenge(pkceChallenge, CodeChallengeMethod.S256)
.requestObject(SignedJWT.parse(jwt))
.endpointURI(getConfiguration().getProviderMetadata().getAuthorizationEndpointURI())
.build()
.toURI()
.toString();
} catch (final ParseException e) {
throw new TechnicalException(e);
}
}
}
Thanks.
Best regards,
Jérôme
ThomasW
Aug 8, 2016, 7:33:49 AM8/8/16
to pac4j-users, thomas...@gmail.com
Thank you for your answer ! I am now trying to integrate your changes in my application.
But there is two doubt for me.
Can I also use Spring Security annotation with pac4j?
I would like to make some REST URLs secure for OpenID connect granted users.
After authorization the REST URL should be accessible, I was thinking to use it like this :
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/vehicle/events", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
ResponseEntity<EventMessages> getVehicleStatus()
{
...
return new ResponseEntity <EventMessages> (list_eventmessages, HttpStatus.OK);
Just for the confirmation : you are using WebContext with sessions. The pac4j-oidc can also be running without any sessions, correct ?
My application must be stateless/session-less.
"<a href="http://localhost:8100/#/lan
Jérôme LELEU
Aug 8, 2016, 8:45:05 AM8/8/16
to ThomasW, pac4j-users
Hi,
1) When using spring-security-pac4j, pac4j populates the Spring Security context with the pac4j authenticated user. So you can perform any check with annotations.
2) In a similar way, the use of the web session will be driven by the create-session attribute of the security:http section (="never" for REST services).
Thanks.
Best regards,
Jérôme
--
ThomasW
Aug 8, 2016, 9:09:00 AM8/8/16
to pac4j-users, thomas...@gmail.com
Thanks for the clarification !
Last question : how can I add more scopes in the pac4j-oidc's OidcClient ?
Jérôme LELEU
Aug 8, 2016, 11:59:09 AM8/8/16
to ThomasW, pac4j-users
Hi,
You can set the scope via the setScope method: oidcClient.setScope("openid email profile");
Thanks.
Best regards,
Jérôme
--
Message has been deleted
ThomasW
Aug 9, 2016, 8:37:52 AM8/9/16
to pac4j-users, thomas...@gmail.com
Thank you for your answer !
I have this line in Pac4jConfig.java :
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer("ROLE_ADMIN"));If I add /vehicle to the SecurityInterceptor, then it is working as expected.
registry.addInterceptor(new SecurityInterceptor(config, "test")).addPathPatterns("/vehicle/*");But if I remove the SecurityInterceptor and tag the REST URL with PreAuthorize Annotation instead, then my /vehicle URL is not protected/redirected for Authorization :
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/vehicle/events", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
ResponseEntity<EventMessages> getVehicleStatus(HttpServletRequest request, HttpServletResponse response, Map<String, Object> map) throws HttpAction
{Jérôme LELEU
Aug 9, 2016, 9:09:14 AM8/9/16
to ThomasW, pac4j-users
Hi,
Why did you remove the SecurityInterceptor?
Thanks.
Best regards,
Jérôme
--
ThomasW
Aug 9, 2016, 10:18:41 AM8/9/16
to pac4j-users, thomas...@gmail.com
I was following this article regarding interceptors and annotation-based security on methods :
I prefer the annotation-based security on methods.
As far as I understand, the @PreAuthorize annotation should work independently from the the SecurityInterceptor ?`
Please correct me if I misunderstood it.
By the way, I really thank you for your great help/answers and the pac4j security framework !
Jérôme LELEU
Aug 10, 2016, 11:28:55 PM8/10/16
to ThomasW, pac4j-users
Hi,
Yes, the @PreAuthorize annotation works independently from the SecurityInterceptor.
I just updated the demo: https://github.com/pac4j/spring-security-pac4j-demo/commit/6cad65c4507181aefcc5b60f41646ca1f782d677
The http://localhost:8080/roleadmin/index.html is now protected by the annotation:
@RequestMapping("/roleadmin/index.html")
@PreAuthorize("hasRole('ROLE_ADMIN')")
public String roleAdmin() {
return "protectedIndex";
}
If you log in with Facebook and call it, you'll get a Forbidden error page. If you log in via Google OpenID Connect (where the ROLE_ADMIN is granted) and call the url, you'll access the protected page.
Though, if you try to access /roleadmin/index.html directly, you'll get an error and if you see the logs, you have:
org.pac4j.core.exception.TechnicalException: The pac4j entry point should never be called: you must define a pac4j 'SecurityFilter' or the pac4j 'CallbackFilter' in the corresponding security:http section
This is the expected behavior: when using the @PreAuthorize annotation and not matching the criteria, the entry point of the corresponding security:http section is called. In that case, it is the pac4jEntryPoint which is made to work with the SecurityFilter or CallbackFilter.
What behavior do you expect?
If you use another entry point, you'll start the associated login process. We could return a 401 or 403 error page in the pac4jEntryPoint, but I'm not convinced yet.
Thanks.
Best regards,
Jérôme
--
Jérôme LELEU
Aug 12, 2016, 3:53:24 AM8/12/16
to ThomasW, pac4j-users
Hi,
Thinking more about this:
Indeed, if you want to use the @PreAuthorize annotation, you may not want to use the SecurityFilter at all. So in fact, the pac4jEntryPoint should start the login process (Facebook, CAS server...) or return a 401 error for web services (the old behaviour of the 1.4 version).
Does it make sense?
Thanks.
Best regards,
Jérôme
ThomasW
Aug 12, 2016, 6:24:02 AM8/12/16
to pac4j-users, thomas...@gmail.com
Hello Jérôme,
Yes, that's what I also was thinking. I only wanted to use @PreAuthorize for my REST URL in which I can define who can access those URLs.
All my REST resources are specifically designed for some users. The SecurityFilter covers a more general approach, am I correct ?
In addition such code is for me easy to read and understand :
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/vehicle/events")Is it possible to add some kind of Authorization failed in the error message when a user is not trying to access a REST resource which was not granted to him ? The 401 error message is harder to understand for the users.
Please also create Spring Boot demos since I am not keen to use Spring with XML ;-)
Jérôme LELEU
Aug 12, 2016, 7:33:02 AM8/12/16
to ThomasW, pac4j-users
Hi,
I have upgraded the entry point to start an authentication process if properly configured: https://github.com/pac4j/spring-security-pac4j/pull/41/files
So, assuming I have the @PreAuthorize annotation:
@RequestMapping("/roleadmin/index.html")
@PreAuthorize("hasRole('ROLE_ADMIN')")
public String roleAdmin() {
return "protectedIndex";
}
1) you could have this NEW configuration (to start a Facebook login process):
2) but it's when I realized you could already do the same with the SecurityFilter:
<bean id="pac4jEntryPoint" class="org.pac4j.springframework.security.web.Pac4jEntryPoint" /><bean id="roleAdminSecurityFilter" class="org.pac4j.springframework.security.web.SecurityFilter"><property name="config" ref="config" /><property name="clients" value="FacebookClient" /></bean><security:http create-session="always" pattern="/roleadmin/**" entry-point-ref="pac4jEntryPoint"><security:custom-filter position="BASIC_AUTH_FILTER" ref="roleAdminSecurityFilter" /></security:http>
In that case, the SecurityFilter (called before) would only play the authentication part and the authorization part would be handle by the @PreAuthorize.
Is the current configuration enough ? Or do you need something more ?
Yes, this is an old "XML configuration" demo, but I'll welcome any contribution to turn it into a Spring Boot app ;-)
Thanks.
Best regards,
Jérôme
--
ThomasW
Aug 16, 2016, 5:16:45 AM8/16/16
to pac4j-users, thomas...@gmail.com
Yes, that's what I want ! Now I just fiddling around to translate it to Spring Boot and if not successful then I just keep SecurityInterceptor.
Thank you !
Thomas
my code :
oidcClient.setDiscoveryURI("<a href="http://localhost:44333/connect/authorize" rel="nofollow" target="_bl
Jérôme LELEU
Aug 16, 2016, 5:18:51 AM8/16/16
to ThomasW, pac4j-users
Just to be sure: does option number 2 work (meaning I don't need to perform any upgrade on the library)?
--
ThomasW
Aug 17, 2016, 10:09:27 AM8/17/16
to pac4j-users, thomas...@gmail.com
Hello,
I just realized that the redirection after the authorization is not working as expected !
- I am calling my REST URL : http://localhost:8080/vehicle/events
- This URL will be intercepted by Pac4j/SpringSecurity and I will be directed to the authentication/authorization via IdentityServer Login
- After successful signing in, I will be redirected to the http://localhost:8080 website and not to http://localhost:8080/vehicle/events
I think the pac4j setCallbackUrl method is making the problem with IdentityServer because that CallbackURL is overwriting the existing redirectUris from IdentityServer ( see the Identity server log below)
My code :
@Configuration
@ComponentScan(basePackages = "org.pac4j.springframework.web")
public class SecurityConfig extends WebMvcConfigurerAdapter {
@Autowired
private Config config;
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new SecurityInterceptor(config, "test")).addPathPatterns("/vehicle/*");
}
My REST service to which the it should be directed after successful authentication and authorization :
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/vehicle/events", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
ResponseEntity<Events> getVehicleStatus(HttpServletRequest request, HttpServletResponse response, Map<String, Object> map) throws HttpAction {
pac4j config class :
final OidcClient oidcClient = new OidcClient();
oidcClient.setName("test");
oidcClient.setClientID("test");
oidcClient.setSecret("6A23B244-5713-4A25-5E68-61B6B8A5E131");
oidcClient.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
oidcClient.setDiscoveryURI("http://localhost:44333//.well-known/openid-configuration");
oidcClient.setAuthorizationGenerator(profile -> profile.addRole("ROLE_ADMIN"));
final Config config = new Config(oidcClient);IdentityServer config :
IdentityServer log :
15:08 [INF] (IdentityServer3.Core.Validation.AuthorizeRequestValidator)
Authorize request validation success
{
"ClientId": "test",
"ClientName": "test",
"RedirectUri": "http://localhost:8080",
"AllowedRedirectUris": [
"http://localhost:8080",
"http://localhost:8080/vehicle/events"
],
"SubjectId": "1",
"ResponseType": "code",
"ResponseMode": "query",
"Flow": "AuthorizationCode",
"RequestedScopes": "openid api1",
"State": "j2c0b86AdzmFkHirgPe_AFBP2iP-g9hDf0tJGPeMEAM",
"SessionId": "5dfc12fd21f033584b563e7e54844ebc",
"Raw": {
"response_type": "code",
"client_id": "test",
"redirect_uri": "http://localhost:8080",
"scope": "openid api1",
"state": "j2c0b86AdzmFkHirgPe_AFBP2iP-g9hDf0tJGPeMEAM"
}
}
15:08 [INF] (IdentityServer3.Core.ResponseHandling.AuthorizeResponseGenerator)
Creating Authorization Code Flow response.
15:08 [INF] (IdentityServer3.Core.Endpoints.AuthorizeEndpointController)
End authorize request
my code :
oidcClient.setClientAuthenticationMethod(<span st
Jérôme LELEU
Aug 18, 2016, 4:33:04 AM8/18/16
to ThomasW, pac4j-users
Hi,
I guess there is some misconfiguration.
The callback url should be something like http://localhost:8080/callback and you should declare it at the Config or Clients level (you don't need to do that at the Client level).
Then, you must have a CallbackFilter to receive the callback: I guess it's missing for you here -> https://github.com/pac4j/spring-security-pac4j-demo/blob/master/src/main/resources/securityContext.xml#L136
Thanks.
Best regards,
Jérôme
--
ThomasW
Aug 19, 2016, 9:15:44 AM8/19/16
to pac4j-users, thomas...@gmail.com
This seems to be a big task for me. Maybe too big.
I have some problems to migrate the mentioned CallbackFilter section into my Spring Boot stuff.
I would be very thankful if you could give some sample code with the Callback Filter in Spring Boot.
Regards,
Thomas
Jérôme LELEU
Aug 22, 2016, 5:27:16 AM8/22/16
to ThomasW, pac4j-users
Hi,
Adding a filter to Spring Boot should be straightfoward: http://stackoverflow.com/questions/19825946/how-to-add-a-filter-class-in-spring-boot
I'm not sure if we already talked about that, but you should certainly try: https://github.com/pac4j/spring-webmvc-pac4j and its boot demo: https://github.com/pac4j/spring-webmvc-pac4j-boot-demo
Thanks.
Best regards,
Jérôme
--
Message has been deleted
ThomasW
Aug 23, 2016, 1:15:33 PM8/23/16
to pac4j-users, thomas...@gmail.com
I am using your updated Spring Boot demo with the OidcConfiguration class.
But now I am getting this error :
016-08-23 18:51:56.160 DEBUG 5660 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : === SECURITY ===
2016-08-23 18:51:56.161 DEBUG 5660 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : url: http://localhost:8080/vehicle/events
2016-08-23 18:51:56.167 DEBUG 5660 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : matchers: null
2016-08-23 18:51:56.167 DEBUG 5660 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : clients: test
2016-08-23 18:51:56.168 DEBUG 5660 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : currentClients: [#OidcClient# | name: test | callbackUrl: http://localhost:8080/callback | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@5a9ba6f4 | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@5d3b03bd | redirectActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@6efd385e | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: null | callbackUrl: null | responseType: null | responseMode: null | |]
2016-08-23 18:51:56.169 DEBUG 5660 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : loadProfilesFromSession: true
2016-08-23 18:51:56.194 DEBUG 5660 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : profiles: []
2016-08-23 18:51:56.196 DEBUG 5660 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : Starting authentication
2016-08-23 18:51:56.197 DEBUG 5660 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : requestedUrl: http://localhost:8080/vehicle/events
2016-08-23 18:52:00.105 DEBUG 5660 --- [nio-8080-exec-2] o.p.c.e.J2ERenewSessionCallbackLogic : === CALLBACK ===
2016-08-23 18:52:00.146 ERROR 5660 --- [nio-8080-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.pac4j.core.exception.TechnicalException: name cannot be blank] with root cause
org.pac4j.core.exception.TechnicalException: name cannot be blank
at org.pac4j.core.util.CommonHelper.assertTrue(CommonHelper.java:131) ~[pac4j-core-1.9.2-20160822.122556-20.jar:na]
at org.pac4j.core.util.CommonHelper.assertNotBlank(CommonHelper.java:142) ~[pac4j-core-1.9.2-20160822.122556-20.jar:na]
at org.pac4j.core.client.Clients.findClient(Clients.java:133) ~[pac4j-core-1.9.2-20160822.122556-20.jar:na]
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:70) ~[pac4j-core-1.9.2-20160822.122556-20.jar:na]
at org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:53) ~[spring-webmvc-pac4j-1.1.2-20160727.111230-2.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_92]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_92]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_92]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_92]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221) ~[spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136) ~[spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:832) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:743) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:961) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:895) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:858) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622) ~[tomcat-embed-core-8.0.33.jar:8.0.33]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) ~[tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) ~[tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) ~[tomcat-embed-websocket-8.0.33.jar:8.0.33]My configuration :
final OidcConfiguration oidcConfiguration = new OidcConfiguration();
oidcConfiguration.setClientId("test");
oidcConfiguration.setSecret("6A23B244-5713-4A25-5E68-61B6B8A5E131");
oidcConfiguration.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
oidcConfiguration.setDiscoveryURI("http://localhost:44333//.well-known/openid-configuration");
oidcConfiguration.setScope("openid api1");
oidcConfiguration.addCustomParam("prompt", "consent");
OidcClient oidcClient = new OidcClient(oidcConfiguration);
oidcClient.setName("test");
oidcClient.setCallbackUrl("http://localhost:8080/callback");
oidcClient.setAuthorizationGenerator(profile -> profile.addRole("ROLE_ADMIN"));
final Clients clients = new Clients( oidcClient);
final Config config = new Config(clients);
config.addAuthorizer("admin", new RequireAnyRoleAuthorizer("ROLE_ADMIN"));
return config;
ThomasW
Aug 23, 2016, 1:18:14 PM8/23/16
to pac4j-users, thomas...@gmail.com
Somehow Google Groups messed my full reply. That's why I send this reply too :
This is my code :
at org.pac4j.core.client.Clients.findClient(Clients.java:133) ~[pac4j-core-1.9.</
Jérôme LELEU
Aug 24, 2016, 11:04:58 AM8/24/16
to ThomasW, pac4j-users
Hi,
I see your problem and it's an interesting use case.
As the callback url is shared between potentially several clients, each client has a specific callback url based on the general callback url and a client_name parameter. This is computed at initialization.
It works if you define the callback url at the Clients level. If you want to make it work by just defining the callback url at the Client level, you should define http://localhost:8080/callback?client_name=OidcClient and not http://localhost:8080/callback
Though, it feels really tricky and I guess it should work in your case.
Be careful, you should define the computed callback url at the identity provider as http://localhost:8080/callback?client_name=OidcClient and not http://localhost:8080/callback
I just pushed: https://github.com/pac4j/pac4j/commit/7f3493228cb08ec1a43bfd586cbbb314767ae574 to make that work out of the box. Wait a few minutes before the build completes (https://travis-ci.org/pac4j/pac4j/builds/154778174) -> use the 1.9.2-SNAPSHOT version
I guess I need to add some doc on callback url computation somewhere.
Notice you can change this client_name parameter or even disable its addition for a client (you would need to define a default client in that case).
Just let me know if it works now.
Thanks.
Best regards,
Jérôme
--
Message has been deleted
Message has been deleted
Message has been deleted
ThomasW
Aug 25, 2016, 11:18:09 AM8/25/16
to pac4j-users, thomas...@gmail.com
I am using pac4j-core-1.9.2-SNAPSHOT and I configured http://localhost:8080/callback?client_name=test as callback address, but unfortunately, I am getting another error message :
2016-08-25 16:32:28.290 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : === SECURITY ===
2016-08-25 16:32:28.291 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : url: http://localhost:8080/vehicle/events
2016-08-25 16:32:28.291 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : matchers: null
2016-08-25 16:32:28.291 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : clients: test
2016-08-25 16:32:28.292 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : currentClients: [#OidcClient# | name: test ....
2016-08-25 16:32:28.296 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : loadProfilesFromSession: true
2016-08-25 16:32:28.297 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : profiles: []
2016-08-25 16:32:28.297 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : Starting authentication
2016-08-25 16:32:28.297 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : requestedUrl: http://localhost:8080/vehicle/events
2016-08-25 16:32:31.743 DEBUG 11124 --- [nio-8080-exec-7] o.p.c.e.J2ERenewSessionCallbackLogic : === CALLBACK ===
2016-08-25 16:32:31.743 DEBUG 11124 --- [nio-8080-exec-7] o.p.c.e.J2ERenewSessionCallbackLogic : client: #OidcClient# | name: test | callbackUrl: http://localhost:8080/callback?client_name=test | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@50411518 | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@7a52ac86 | redirectActionBuilder: #OidcRedirectActionBuilder# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@15c6cb10 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | | credentialsExtractor: #OidcExtractor# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@15c6cb10 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientName: test | | authenticator: #OidcAuthenticator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@15c6cb10 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientAuthentication: com.nimbusds.oauth2.sdk.auth.ClientSecretBasic@740f48c9 | | profileCreator: #OidcProfileCreator#
2016-08-25 16:32:31.811 ERROR 11124 --- [nio-8080-exec-7] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_client] with root cause
Message has been deleted
ThomasW
Aug 25, 2016, 11:22:03 AM8/25/16
to pac4j-users, thomas...@gmail.com
Continuing of the error message from below ( because Google Groups is not able to show such big stacktrace):
org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_client
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:104) ~[pac4j-oidc-1.9.2-20160824.152133-22.jar:na]
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:33) ~[pac4j-oidc-1.9.2-20160824.152133-22.jar:na]
at org.pac4j.core.client.IndirectClientV2.retrieveCredentials(IndirectClientV2.java:53) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:105) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:77) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:53) ~[spring-webmvc-pac4j-1.1.2-20160727.111230-2.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_92]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_92]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_92]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_92]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221) ~[spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
ThomasW
Aug 25, 2016, 11:22:52 AM8/25/16
to pac4j-users, thomas...@gmail.com
And this is the error output of the IdentityServer :
16:32 [INF] (IdentityServer3.Core.Validation.AuthorizeRequestValidator)
Start authorize request protocol validation
16:32 [INF] (IdentityServer3.Core.Validation.AuthorizeRequestValidator)
Authorize request validation success
{
"ClientId": "test",
"ClientName": "test",
],
"SubjectId": "1",
"ResponseType": "code",
"ResponseMode": "query",
"Flow": "AuthorizationCode",
"RequestedScopes": "openid api1",
"State": "i9BVMv9rBFBBkgYR2Fn5j4lEZT87tY0Q2NBXyGZ4cp8",
"PromptMode": "consent",
"SessionId": "0f4bdbd993102592bc943073527a9b4f",
"Raw": {
"response_type": "code",
"client_id": "test",
"redirect_uri": "http://localhost:8080/callback?client_name=test",
"scope": "openid api1",
"state": "i9BVMv9rBFBBkgYR2Fn5j4lEZT87tY0Q2NBXyGZ4cp8",
"prompt": "consent"
}
}
16:32 [INF] (IdentityServer3.Core.ResponseHandling.AuthorizeResponseGenerator)
Creating Authorization Code Flow response.
16:32 [INF] (IdentityServer3.Core.Results.AuthorizeRedirectResult)
Redirecting to: http://localhost:8080/callback?client_name=test
16:32 [INF] (IdentityServer3.Core.Endpoints.TokenEndpointController)
Start token request
16:32 [INF] (IdentityServer3.Core.Validation.SecretParser)
Secret id found: test
16:32 [INF] (IdentityServer3.Core.Validation.SecretValidator)
Secret validators could not validate secret
16:32 [INF] (IdentityServer3.Core.Validation.ClientSecretValidator)
Client validation failed.
16:32 [INF] (IdentityServer3.Core.Endpoints.TokenEndpointController)
End token request
16:32 [INF] (IdentityServer3.Core.Results.TokenErrorResult)
Returning error: invalid_client
16:32 [INF] (IdentityServer.Infrastructure.Mongo.TokenCleanup)
Clearing tokens
Jérôme LELEU
Aug 26, 2016, 3:15:17 AM8/26/16
to ThomasW, pac4j-users
Hi,
It must be http://localhost:8080/callback?client_name=Pac4jClientName thus http://localhost:8080/callback?client_name=OidcClient (by default, the class nam is the name) and not http://localhost:8080/callback?client_name=test (not the client_id).
Thanks.
Best regards,
Jérôme
2016-08-25 17:07 GMT+02:00 ThomasW <thomas...@gmail.com>:
I am using pac4j-core-1.9.2-SNAPSHOT now and I configured http://localhost:8080/callback?client_name=test as callback address, but unfortunately, I am getting this error message now :
2016-08-25 16:32:28.290 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : === SECURITY ===
2016-08-25 16:32:28.291 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : url: http://localhost:8080/vehicle/events
2016-08-25 16:32:28.291 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : matchers: null
2016-08-25 16:32:28.291 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : clients: test
2016-08-25 16:32:28.297 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : profiles: []
2016-08-25 16:32:28.297 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : Starting authentication
2016-08-25 16:32:28.297 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : requestedUrl: http://localhost:8080/vehicle/events
2016-08-25 16:32:31.743 DEBUG 11124 --- [nio-8080-exec-7] o.p.c.e.J2ERenewSessionCallbackLogic : === CALLBACK ===
2016-08-25 16:32:31.811 ERROR 11124 --- [nio-8080-exec-7] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_client] with
org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_client
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:104) ~[pac4j-oidc-1.9.2-20160824.152133-22.jar:na]
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:33) ~[pac4j-oidc-1.9.2-20160824.152133-22.jar:na]
at org.pac4j.core.client.IndirectClientV2.retrieveCredentials(IndirectClientV2.java:53) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:105) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:77) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:53) ~[spring-webmvc-pac4j-1.1.2-20160727.111230-2.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_92]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_92]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_92]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_92]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221) ~[spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136) ~[spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:832) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:743) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:961) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:895) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:858) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622) ~[tomcat-embed-core-8.0.33.jar:8.0.33]
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) ~[tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) ~[tomcat-embed-core-8.0.33.jar:8.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) ~[tomcat-embed-core-8.0.33.jar:8.0.33]
In the IdentityServer, I see the following error message :
16:08 [INF] (IdentityServer3.Core.Validation.AuthorizeRequestValidator)
Start authorize request protocol validation
Authorize request validation success
{
"ClientId": "test",
"ClientName": "test",
],
"SubjectId": "1",
"ResponseType": "code",
"ResponseMode": "query",
"Flow": "AuthorizationCode",
"RequestedScopes": "openid api1",
"State": "oq_wn1E26PH6oJIGMVW7AlwhwZPEcFMuHQ4sEXVWgac",
"PromptMode": "consent",
"SessionId": "0f4bdbd993102592bc943073527a9b4f",
"Raw": {
"response_type": "code",
"client_id": "test",
"redirect_uri": "http://localhost:8080/callback?client_name=test",
"scope": "openid api1",
"state": "oq_wn1E26PH6oJIGMVW7AlwhwZPEcFMuHQ4sEXVWgac",
"prompt": "consent"
}
}
16:08 [INF] (IdentityServer3.Core.ResponseHandling.AuthorizeResponseGenerator)
Creating Authorization Code Flow response.
Redirecting to: http://localhost:8080/callback?client_name=test
16:08 [INF] (IdentityServer3.Core.Endpoints.TokenEndpointController)
Start token request
16:08 [INF] (IdentityServer3.Core.Validation.SecretParser)
Secret id found: test
16:08 [INF] (IdentityServer3.Core.Validation.SecretValidator)
Secret validators could not validate secret
Client validation failed.
16:08 [INF] (IdentityServer3.Core.Endpoints.TokenEndpointController)
End token request
16:08 [INF] (IdentityServer3.Core.Results.TokenErrorResult)
Returning error: invalid_client
16:08 [INF] (IdentityServer.Infrastructure.Mongo.TokenCleanup)
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ThomasW
Aug 26, 2016, 6:17:12 AM8/26/16
to pac4j-users, thomas...@gmail.com
I changed it to OidcClient :
Am Freitag, 26. August 2016 09:15:17 UTC+2 schrieb Jérôme LELEU:
oidcClient.setName("test");
oidcClient.setAuthorizationGenerator(profile -> profile.addRole("ROLE_ADMIN"));
final Clients clients = new Clients(oidcClient);
But now getting the following error message :
org.pac4j.core.exception.TechnicalException: No client found for name: OidcClient
at org.pac4j.core.client.Clients.findClient(Clients.java:148) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.core.client.Clients.findClient(Clients.java:131) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:70) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:53) ~[spring-webmvc-pac4j-1.1.2-20160727.111230-2.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_92]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_92]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_92]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_92]
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221) ~[spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:136) ~[spring-web-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:832) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:743) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:961) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:895) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:858) ~[spring-webmvc-4.2.6.RELEASE.jar:4.2.6.RELEASE]
Am Freitag, 26. August 2016 09:15:17 UTC+2 schrieb Jérôme LELEU:
Hi,
It must be http://localhost:8080/callback?client_name=Pac4jClientName thus http://localhost:8080/callback?client_name=OidcClient (by default, the class nam is the name) and not http://localhost:8080/callback?client_name=test (not the client_id).Thanks.Best regards,Jérôme
2016-08-25 17:07 GMT+02:00 ThomasW <thomas...@gmail.com>:
I am using pac4j-core-1.9.2-SNAPSHOT now and I configured http://localhost:8080/callback?client_name=test as callback address, but unfortunately, I am getting this error message now :
2016-08-25 16:32:28.290 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : === SECURITY ===
2016-08-25 16:32:28.291 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : url: http://localhost:8080/vehicle/events
2016-08-25 16:32:28.291 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : matchers: null
2016-08-25 16:32:28.291 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : clients: test
2016-08-25 16:32:28.292 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : currentClients: [#OidcClient# | name: test | callbackUrl: http://localhost:8080/callback?client_name=test | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@50411518 | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@7a52ac86 | redirectActionBuilder: #OidcRedirectActionBuilder# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@15c6cb10 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | | credentialsExtractor: #OidcExtractor# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@15c6cb10 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientName: test | | authenticator: #OidcAuthenticator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@15c6cb10 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientAuthentication: com.nimbusds.oauth2.sdk.auth.ClientSecretBasic@740f48c9 | | profileCreator: #OidcProfileCreator#
2016-08-25 16:32:28.296 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : loadProfilesFromSession: true
2016-08-25 16:32:28.297 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : profiles: []
2016-08-25 16:32:28.297 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : Starting authentication
2016-08-25 16:32:28.297 DEBUG 11124 --- [nio-8080-exec-6] o.p.core.engine.DefaultSecurityLogic : requestedUrl: http://localhost:8080/vehicle/events
2016-08-25 16:32:31.743 DEBUG 11124 --- [nio-8080-exec-7] o.p.c.e.J2ERenewSessionCallbackLogic : === CALLBACK ===
2016-08-25 16:32:31.743 DEBUG 11124 --- [nio-8080-exec-7] o.p.c.e.J2ERenewSessionCallbackLogic : client: #OidcClient# | name: test | callbackUrl: http://localhost:8080/callback?client_name=test | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@50411518 | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@7a52ac86 | redirectActionBuilder: #OidcRedirectActionBuilder# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@15c6cb10 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | | credentialsExtractor: #OidcExtractor# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@15c6cb10 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientName: test | | authenticator: #OidcAuthenticator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@15c6cb10 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientAuthentication: com.nimbusds.oauth2.sdk.auth.ClientSecretBasic@740f48c9 | | profileCreator: #OidcProfileCreator#
2016-08-25 16:32:31.811 ERROR 11124 --- [nio-8080-exec-7] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_client] with root cause
org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_client
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:104) ~[pac4j-oidc-1.9.2-20160824.152133-22.jar:na]
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:33) ~[pac4j-oidc-1.9.2-20160824.152133-22.jar:na]
at org.pac4j.core.client.IndirectClientV2.retrieveCredentials(IndirectClientV2.java:53) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:105) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.core.engine.DefaultCallbackLogic.perform(DefaultCallbackLogic.java:77) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.springframework.web.CallbackController.callback(CallbackController.java:53) ~[</
Jérôme LELEU
Aug 26, 2016, 7:19:27 AM8/26/16
to ThomasW, pac4j-users
Hi,
oidcClient.setCallbackUrl("http://localhost:8080/callback?client_name=OidcClient"); -> oidcClient.setCallbackUrl("http://localhost:8080/callback");
Don't set the client_name by yourself to a value which is not the name of the client. The right client_name will be automatically computed.
Thanks.
Best regards,
Jérôme
--
ThomasW
Aug 26, 2016, 9:40:19 AM8/26/16
to pac4j-users, thomas...@gmail.com
Yes, that's what I did previously, too.
final Clients clients = new Clients (oidcClient);
But the error message is the same :
2016-08-26 15:31:20.834 ERROR 8268 --- [nio-8080-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed;
nested exception is org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_client] with root cause
org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_client
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:104) ~[pac4j-oidc-1.9.2-20160824.152133-22.jar:na]
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:33) ~[pac4j-oidc-1.9.2-20160824.152133-22.jar:na]
at org.pac4j.core.client.IndirectClientV2.retrieveCredentials(IndirectClientV2.java:53) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:105) ~[pac4j-core-1.9.2-20160824.151851-22.jar:na]
And IdentityServer console :
Start authorize request protocol validation
15:08 [INF] (IdentityServer3.Core.Validation.AuthorizeRequestValidator)
Authorize request validation success
{
"ClientId": "test",
"ClientName": "test",
"RedirectUri": "http://localhost:8080/callback?client_name=test",
"AllowedRedirectUris": [
"http://localhost:8080",
"http://localhost:8080/vehicle/events",
"http://localhost:8080/callback?client_name=test",
],
"SubjectId": "1",
"ResponseType": "code",
"ResponseMode": "query",
"Flow": "AuthorizationCode",
"RequestedScopes": "openid api1",
"State": "EXNweabsZT0wdmgj8N5eOpXZoVW4PzzZIPEV7WjUIBU",
"PromptMode": "consent",
"SessionId": "53950e27dbb6ff89d78b1880b1b93195",
"Raw": {
"response_type": "code",
"client_id": "test",
"redirect_uri": "http://localhost:8080/callback?client_name=test",
"scope": "openid api1",
"state": "EXNweabsZT0wdmgj8N5eOpXZoVW4PzzZIPEV7WjUIBU",
"prompt": "consent"
}
}
15:08 [INF] (IdentityServer3.Core.ResponseHandling.AuthorizeResponseGenerator)
Creating Authorization Code Flow response.
15:08 [INF] (IdentityServer3.Core.Results.AuthorizeRedirectResult)
Redirecting to: http://localhost:8080/callback?client_name=test
15:08 [INF] (IdentityServer3.Core.Endpoints.TokenEndpointController)
Start token request
15:08 [INF] (IdentityServer3.Core.Validation.SecretParser)
Secret id found: test
15:08 [INF] (IdentityServer3.Core.Validation.SecretValidator)
Secret validators could not validate secret
15:08 [INF] (IdentityServer3.Core.Validation.ClientSecretValidator)
Client validation failed.
15:08 [INF] (IdentityServer3.Core.Endpoints.TokenEndpointController)
End token request
15:08 [INF] (IdentityServer3.Core.Results.TokenErrorResult)
Returning error: invalid_client
ThomasW
Aug 26, 2016, 9:42:32 AM8/26/16
to pac4j-users, thomas...@gmail.com
Jérôme LELEU
Aug 26, 2016, 9:47:11 AM8/26/16
to pac4j-users, thomas...@gmail.com
Hi,
This is an OpenID Connect error: are you sure you have oidcClient.setClientId("test"); ?
Thanks.
Best regards,
Jérôme
"<a href="http://localhost:8080/vehicle/events" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Flocalhost%3A8080%2Fvehicle%2Fevents\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGOFKeThcbjZ9NwLVe20HKe7_bqDg';return true;" onclick="this.href='http://www.google.com/ur
ThomasW
Aug 26, 2016, 9:59:03 AM8/26/16
to pac4j-users, thomas...@gmail.com
Yes I did :
final OidcConfiguration oidcConfiguration = new OidcConfiguration();
oidcConfiguration.setClientId("test");
oidcConfiguration.setSecret("6A23B244-5713-4A25-5E68-61B6B8A5E131"");
oidcConfiguration.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
oidcConfiguration.setDiscoveryURI("http://localhost:44333//.well-known/openid-configuration");
oidcConfiguration.setScope("openid api1");
oidcConfiguration.addCustomParam("prompt", "consent");
OidcClient oidcClient = new OidcClient(oidcConfiguration);
oidcClient.setName("test");
oidcClient.setAuthorizationGenerator(profile -> profile.addRole("ROLE_ADMIN"));
final Clients clients = new Clients(oidcClient);Jérôme LELEU
Aug 26, 2016, 10:08:09 AM8/26/16
to ThomasW, pac4j-users
Can you turn on DEBUG logs on org.pac4j to see the reply of IdentityServer3?
--
ThomasW
Aug 26, 2016, 10:19:46 AM8/26/16
to pac4j-users, thomas...@gmail.com
These two files were already in DEBUG model :
logging.level.org.pac4j.springframework.web=DEBUG
logging.level.org.pac4j.core.engine=DEBUG
Output of pac4j :
2016-08-26 15:31:14.446 DEBUG 8268 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : === SECURITY ===
2016-08-26 15:31:14.447 DEBUG 8268 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : url: http://localhost:8080/vehicle/events
2016-08-26 15:31:14.452 DEBUG 8268 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : matchers: null
2016-08-26 15:31:14.453 DEBUG 8268 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : clients: test
2016-08-26 15:31:14.454 DEBUG 8268 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : currentClients: [#OidcClient# | name: test | callbackUrl: http://localhost:8080/callback?client_name=test | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@7aa98696 | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@15bae9a1 | redirectActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@5b3db711 | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: null | callbackUrl: null | responseType: null | responseMode: null | |]
2016-08-26 15:31:14.454 DEBUG 8268 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : loadProfilesFromSession: true
2016-08-26 15:31:14.467 DEBUG 8268 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : profiles: []
2016-08-26 15:31:14.468 DEBUG 8268 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : Starting authentication
2016-08-26 15:31:14.468 DEBUG 8268 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : requestedUrl: http://localhost:8080/vehicle/events
2016-08-26 15:31:19.928 DEBUG 8268 --- [nio-8080-exec-2] o.p.c.e.J2ERenewSessionCallbackLogic : === CALLBACK ===
2016-08-26 15:31:19.929 DEBUG 8268 --- [nio-8080-exec-2] o.p.c.e.J2ERenewSessionCallbackLogic : client: #OidcClient# | name: test | callbackUrl: http://localhost:8080/callback?client_name=test | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@7aa98696 | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@15bae9a1 | redirectActionBuilder: #OidcRedirectActionBuilder# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@a89fb2 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | | credentialsExtractor: #OidcExtractor# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@a89fb2 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientName: test | | authenticator: #OidcAuthenticator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@a89fb2 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientAuthentication: null | | profileCreator: #OidcProfileCreator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@a89fb2 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clazz: class org.pac4j.oidc.profile.OidcProfile | | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:44333//.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@a89fb2 | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | |
2016-08-26 15:31:20.834 ERROR 8268 --- [nio-8080-exec-2] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_client] with root cause
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
Jérôme LELEU
Aug 26, 2016, 10:20:35 AM8/26/16
to ThomasW, pac4j-users
This one is needed also: org.pac4j.oidc
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
Jérôme LELEU
Aug 26, 2016, 10:53:33 AM8/26/16
to ThomasW, pac4j-users
Disappointing: 2016-08-26 16:30:26.817 DEBUG 6340 --- [nio-8080-exec-2] o.p.o.c.authenticator.OidcAuthenticator : Token response: status=400, content={"error":"invalid_client"}
Reviewing your previous posts, I see:
16:32 [INF] (IdentityServer3.Core.Validation.SecretParser)
Secret id found: test
16:32 [INF] (IdentityServer3.Core.Validation.SecretValidator)
Secret id found: test
16:32 [INF] (IdentityServer3.Core.Validation.SecretValidator)
Secret validators could not validate secret
16:32 [INF] (IdentityServer3.Core.Validation.ClientSecretValidator)
Client validation failed.
16:32 [INF] (IdentityServer3.Core.Endpoints.TokenEndpointController)
Client validation failed.
16:32 [INF] (IdentityServer3.Core.Endpoints.TokenEndpointController)
Something wrong with the secret?
--
ThomasW
Aug 26, 2016, 11:31:42 AM8/26/16
to pac4j-users, thomas...@gmail.com
No, the secret is really matching with that secret of the IdentityServer. I double-checked it.
<div dir="ltr"
Jérôme LELEU
Aug 26, 2016, 12:27:42 PM8/26/16
to ThomasW, pac4j-users
Very strange: it works for me.
On Spring Boot application side:
final OidcConfiguration oidcConfiguration = new OidcConfiguration();
oidcConfiguration.setClientId("test");
oidcConfiguration.setSecret("secret");
oidcConfiguration.setUseNonce(true);
oidcConfiguration.setDiscoveryURI("http://localhost:5000/.well-known/openid-configuration");
oidcConfiguration.setScope("openid api1");
oidcConfiguration.setClientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
oidcConfiguration.addCustomParam("prompt", "consent");
final OidcClient oidcClient = new OidcClient(oidcConfiguration);
oidcClient.setName("test");
oidcClient.setCallbackUrl("http://localhost:8080/callback");
On IdentityServer3 side:
new Client
{
ClientName = "test",
ClientId = "test",
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
// server to server communication
Flow = Flows.AuthorizationCode,
//Flow = Flows.Implicit,
RedirectUris = new List<string>
{
},
// only allowed to access api1
AllowedScopes = new List<string>
{
"openid",
"api1"
}
},
Do you see a relevant difference with your configuration?
--
ThomasW
Aug 29, 2016, 12:32:19 PM8/29/16
to pac4j-users, thomas...@gmail.com
No difference in my configuration. It looks the same in Spring Boot and IdentityServer3 as yours.
Can you confirm this Authorization Code Flow with your sample code :
- client invokes the pac4j-secured REST endpoint /vehicle
- the client will be forwarded to the IdentityServer for authorization/authenication.
- After the IdentityServer successfully authorizes the the request, the client will be forwarded to the REST endpoint.
- client can access the REST endpoint and retrieve the desired data.
I am a bit unsure whether I have to perform some additional ID token validation at my REST service endpoint where the client will be directed to.
Jérôme LELEU
Aug 30, 2016, 12:52:12 AM8/30/16
to ThomasW, pac4j-users
Hi,
Yes, I confirm the flow and nothing additional is required. Let's try to figure out the issue.
I committed my code on the identityserver3 branch: https://github.com/pac4j/spring-webmvc-pac4j-boot-demo/tree/identityserver3
For me, it works perfectly.
Can you test with it? You may need to change the port
I hope this will give us some hint.
Thanks.
Best regards,
Jérôme
PS:
On identity server side. I cloned: g...@github.com:IdentityServer/IdentityServer3.Samples.git
In the directory: IdentityServer3.Samples/source/AspNet5/src/IdentityServer, I only changed the Clients.cs file to:
using System.Collections.Generic;using IdentityServer3.Core.Models;namespace IdentityServer.Configuration{public class Clients{public static List<Client> Get(){return new List<Client>{
new Client{ClientName = "test",ClientId = "test",ClientSecrets = new List<Secret>{new Secret("secret".Sha256())},// server to server communicationFlow = Flows.AuthorizationCode,//Flow = Flows.Implicit,RedirectUris = new List<string>{},// only allowed to access api1AllowedScopes = new List<string>{"openid","api1"}},
new Client{ClientName = "MVC6 Demo Client",ClientId = "mvc6",// human involved
Flow = Flows.Implicit,RedirectUris = new List<string>{
},PostLogoutRedirectUris = new List<string>{},// access to identity data and api1
AllowedScopes = new List<string>{"openid",
"email","profile","api1"}}};}}}
I run:
dnu restore
dnx web
--
Message has been deleted
Message has been deleted
ThomasW
Sep 2, 2016, 10:34:30 AM9/2/16
to pac4j-users, thomas...@gmail.com
Sorry for the late reply !
Yes, I have the same configuration. Can you please paste your logging information from pac4j and IdentityServer here ?
I also tried to validate pac4j OIDC client with another OpenID connect server.
I created an OIDC server on https://mitreid.org/manage/dev/dynreg/new (signed in there as Administrator) and then selected Self-service client registration.
When running pac4j, I get this error message from Mitre OIDC server in my webbrowser :
{"error":"invalid_client","error_description":"Client with id 575dd7eb-50b9-441e-9bc7-ee62cf42d721 was not found"}
But I changed my client ID and secret according to the mitre OIDC server config as you can see in the pac4j logs :
2016-09-02 16:22:08.517 DEBUG 5292 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : === SECURITY ===
2016-09-02 16:22:08.518 DEBUG 5292 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : url: http://localhost:8080/vehicle/events
2016-09-02 16:22:08.521 DEBUG 5292 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : matchers: null
2016-09-02 16:22:08.522 DEBUG 5292 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : clients: test
2016-09-02 16:22:08.523 DEBUG 5292 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : currentClients: [#OidcClient# | name: test | callbackUrl: http://localhost:8080/callback?client_name=test | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@7269de4f | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@11d8111d | redirectActionBuilder: null | credentialsExtractor: null | authenticator: null | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@2091d9a0 | configuration: #OidcConfiguration# | clientId: a6c9f887-5ccc-46da-8bf7-cc2b70067ffc | discoveryURI: https://mitreid.org/.well-known/openid-configuration | scope: openid | customParams: {} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: RS256 | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: null | callbackUrl: null | responseType: null | responseMode: null | |]
2016-09-02 16:22:08.524 DEBUG 5292 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : loadProfilesFromSession: true
2016-09-02 16:22:08.539 DEBUG 5292 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : profiles: []
2016-09-02 16:22:08.540 DEBUG 5292 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : Starting authentication
2016-09-02 16:22:08.540 DEBUG 5292 --- [nio-8080-exec-1] o.p.core.engine.DefaultSecurityLogic : requestedUrl: http://localhost:8080/vehicle/events
2016-09-02 16:22:11.028 DEBUG 5292 --- [nio-8080-exec-1] o.p.o.r.OidcRedirectActionBuilder : Authentication request url: https://mitreid.org/authorize?response_type=code&client_id=a6c9f887-5ccc-46da-8bf7-cc2b70067ffc&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback%3Fclient_name%3Dtest&scope=openid&state=VGa2Y5PY_oo6NEdbHP2-r5rRfpyoKknZtzhsC7iOih4Is Mitre ODIC also working for you ?
My OIDC server configuration at mitre website :
For dynamic client registration :
{
"client_id": "a6c9f887-5ccc-46da-8bf7-cc2b70067ffc",
"client_secret": "AMbuJ8y62YEV7bpKGsrkAx_v1R0puSRXr9GXw5W_EZtDN7AO_su8Pp15JY7IAY78C2hyXrlMQpNOKR3WRDSg5R8",
"redirect_uris": [
"http://localhost:8080/callback?client_name=test"
],
"client_name": "test",
"client_uri": null,
"logo_uri": null,
"contacts": [
"ad...@example.com"
],
"tos_uri": null,
"token_endpoint_auth_method": "client_secret_basic",
"scope": "openid",
"grant_types": [
"authorization_code"
],
"response_types": [
"code"
],
"policy_uri": null,
"jwks_uri": null,
"jwks": null,
"jwksType": "URI",
"application_type": "WEB",
"sector_identifier_uri": null,
"subject_type": "PUBLIC",
"request_object_signing_alg": null,
"userinfo_signed_response_alg": null,
"userinfo_encrypted_response_alg": null,
"userinfo_encrypted_response_enc": null,
"id_token_signed_response_alg": null,
"id_token_encrypted_response_alg": null,
"id_token_encrypted_response_enc": null,
"default_max_age": 60000,
"require_auth_time": true,
"default_acr_values": [],
"initiate_login_uri": null,
"post_logout_redirect_uris": [],
"claims_redirect_uris": [],
"request_uris": [],
"registration_access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6InJzYTEifQ.eyJpc3MiOiJodHRwczpcL1wvbWl0cmVpZC5vcmdcLyIsImF1ZCI6ImE2YzlmODg3LTVjY2MtNDZkYS04YmY3LWNjMmI3MDA2N2ZmYyIsImp0aSI6IjE3ZWM2Y2NmLWIwMjEtNDBjYi05N2FmLTFhNzliNWJmNGMzZSIsImlhdCI6MTQ3MjgyNDg4N30.DeX1aIQQmnm7dk03AMCTFBc_Bc4xnS_4Nzk-9gaJTkhpOlIddXIFVlCgW_GfClGulPS6yuvLE3VwGw7b8RgMUo2wNUhyJw8vKyi1sdj45jBznPrRhm-bUQ-X26Sl7mTMfdj74ezKOsJP03HHtbs9KgJ0Xfo32ZG_LeW5j8K_fviDURQTNY3IjQ_ve8VRIwXkcmNO41tkPYuPMjt4C5v-WqmxNxKIS4Qgz0Nq3jJISdSbuEb-aj0Dl1oVYlvwlZOp9wDSCerm59XD6ah5-Ai7g_4frLVqfWvseMhO-xihL7KmuLu7sDGkLdgrWgn1H0X4y3K5ddZ0PxO-dxAiJPriyQ",
"registration_client_uri": "https://mitreid.org/register/a6c9f887-5ccc-46da-8bf7-cc2b70067ffc",
"token_endpoint_auth_signing_alg": null,
"client_secret_expires_at": 0,
"client_id_issued_at": 1472824887
}Jérôme LELEU
Sep 5, 2016, 12:01:54 PM9/5/16
to ThomasW, pac4j-users
Hi,
No problem.
Here are my Spring Boot app logs:
2016-09-05 17:57:45.070 DEBUG 5010 --- [nio-8080-exec-3] o.p.core.engine.DefaultSecurityLogic : === SECURITY ===2016-09-05 17:57:45.070 DEBUG 5010 --- [nio-8080-exec-3] o.p.core.engine.DefaultSecurityLogic : url: http://localhost:8080/oidc/index.html2016-09-05 17:57:45.070 DEBUG 5010 --- [nio-8080-exec-3] o.p.core.engine.DefaultSecurityLogic : matchers: null2016-09-05 17:57:45.070 DEBUG 5010 --- [nio-8080-exec-3] o.p.core.engine.DefaultSecurityLogic : clients: test2016-09-05 17:57:45.070 DEBUG 5010 --- [nio-8080-exec-3] o.p.core.engine.DefaultSecurityLogic : currentClients: [#OidcClient# | name: test | callbackUrl: http://localhost:8080/callback?client_name=test | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@3bcf355b | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@6a4cd1fb | redirectActionBuilder: #OidcRedirectActionBuilder# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | | credentialsExtractor: #OidcExtractor# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientName: test | | authenticator: #OidcAuthenticator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientAuthentication: com.nimbusds.oauth2.sdk.auth.ClientSecretBasic@569b8363 | | profileCreator: #OidcProfileCreator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clazz: class org.pac4j.oidc.profile.OidcProfile | | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | |]2016-09-05 17:57:45.070 DEBUG 5010 --- [nio-8080-exec-3] o.p.core.engine.DefaultSecurityLogic : loadProfilesFromSession: true2016-09-05 17:57:45.070 DEBUG 5010 --- [nio-8080-exec-3] o.p.core.engine.DefaultSecurityLogic : profiles: []2016-09-05 17:57:45.070 DEBUG 5010 --- [nio-8080-exec-3] o.p.core.engine.DefaultSecurityLogic : Starting authentication2016-09-05 17:57:45.070 DEBUG 5010 --- [nio-8080-exec-3] o.p.core.engine.DefaultSecurityLogic : requestedUrl: http://localhost:8080/oidc/index.html2016-09-05 17:57:45.071 DEBUG 5010 --- [nio-8080-exec-3] o.p.o.r.OidcRedirectActionBuilder : Authentication request url: http://localhost:5000/connect/authorize?response_type=code&client_id=test&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback%3Fclient_name%3Dtest&scope=openid+api1&state=3s4B7RoEXIDpH33wZDyEoV3_gyeTMNGLZGvy9P67LCE&nonce=lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0&prompt=consent2016-09-05 17:57:51.945 DEBUG 5010 --- [nio-8080-exec-4] o.p.c.e.J2ERenewSessionCallbackLogic : === CALLBACK ===2016-09-05 17:57:51.945 DEBUG 5010 --- [nio-8080-exec-4] o.p.c.e.J2ERenewSessionCallbackLogic : client: #OidcClient# | name: test | callbackUrl: http://localhost:8080/callback?client_name=test | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@3bcf355b | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@6a4cd1fb | redirectActionBuilder: #OidcRedirectActionBuilder# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | | credentialsExtractor: #OidcExtractor# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientName: test | | authenticator: #OidcAuthenticator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientAuthentication: com.nimbusds.oauth2.sdk.auth.ClientSecretBasic@569b8363 | | profileCreator: #OidcProfileCreator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clazz: class org.pac4j.oidc.profile.OidcProfile | | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | |2016-09-05 17:57:51.945 DEBUG 5010 --- [nio-8080-exec-4] o.p.o.c.extractor.OidcExtractor : Authentication response successful2016-09-05 17:57:52.070 DEBUG 5010 --- [nio-8080-exec-4] o.p.o.c.authenticator.OidcAuthenticator : Token response: status=200, content={"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJub25jZSI6ImxLbzh0dFg5MHQ3WVA5NmNGanpKMDh6LUY5ejBvYW5HaGdweEw3SkUzaDAiLCJpYXQiOjE0NzMwOTEwNzIsInN1YiI6IjgxODcyNyIsImFtciI6WyJwYXNzd29yZCJdLCJhdXRoX3RpbWUiOjE0NzMwOTEwNjksImlkcCI6Imlkc3J2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoidGVzdCIsImV4cCI6MTQ3MzA5MTM3MiwibmJmIjoxNDczMDkxMDcyfQ.JbcDzF2ObE92o1RkDORVcrfqHQTwcnq8_p_QdfEXM_0JFyDApN2m8im-lvjjD35utU82iYd0KO0BUeIsIAGZH-J9VzZYJ7GC1WrElCiX7ikFWmZTTiDCOpXIQdlSRJ_3s70Xq3wW3kEG_tcpjoDdcneEQOjfrtjCejtyFYOtwQ36a-V4K0_Xw203P8E0MDfqzSuAL5SH-d8L6m8hP1yuvvpvV3NAFpqpeUIwvOXLZlHVh32p2gA0EoGmd63V6U8n93K5hhLHYj95y4JKXQ47mdljkx_ShJU6RnbbZnXdhfQp5QSSpth0Tg0rNb664xKKFHTZtGQrS8FCK650qUWI1g","access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJjbGllbnRfaWQiOiJ0ZXN0Iiwic2NvcGUiOlsib3BlbmlkIiwiYXBpMSJdLCJzdWIiOiI4MTg3MjciLCJhbXIiOlsicGFzc3dvcmQiXSwiYXV0aF90aW1lIjoxNDczMDkxMDY5LCJpZHAiOiJpZHNydiIsInJvbGUiOlsiQWRtaW4iLCJHZWVrIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMCIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJleHAiOjE0NzMwOTQ2NzEsIm5iZiI6MTQ3MzA5MTA3MX0.SqpEvHKy3k8c2GyDvAv0ob2tDJtU5bHCYVFCFpH5mLZe0Hpc-6h8PaqEzBJpzga6Vqbg4EXy3BcnsHstshzfmKM-cmclCRg3ow60I4ENlSUovk3kOlku7XFSl_GBLJkdWg3WswXfVOvkp_SAWtmDxvk83Z04pRsh3Xa7JjoW2IaUVbqPuEs3uhmLpyIAqnJCpmAZR1lcqrU2zusUD2uqyFrzbvMqY1NnhYGmRkywX0A8FRD3JnczMKynlMRedSEG-g8cTFM1GQKTCbisQMkfSxNQJsXHxqZavMxkgRZ9LLMAH9cB1Md2XiOTRZsBSFLter1oSjbXimvegGF3uo-ZnQ","expires_in":3600,"token_type":"Bearer"}2016-09-05 17:57:52.070 DEBUG 5010 --- [nio-8080-exec-4] o.p.o.c.authenticator.OidcAuthenticator : Token response successful2016-09-05 17:57:52.071 DEBUG 5010 --- [nio-8080-exec-4] o.p.c.e.J2ERenewSessionCallbackLogic : credentials: #OidcCredentials# | code: c8ff6b4a8b52e79d01d6e74c8a8c0546 | clientName: test | accessToken: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJjbGllbnRfaWQiOiJ0ZXN0Iiwic2NvcGUiOlsib3BlbmlkIiwiYXBpMSJdLCJzdWIiOiI4MTg3MjciLCJhbXIiOlsicGFzc3dvcmQiXSwiYXV0aF90aW1lIjoxNDczMDkxMDY5LCJpZHAiOiJpZHNydiIsInJvbGUiOlsiQWRtaW4iLCJHZWVrIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMCIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJleHAiOjE0NzMwOTQ2NzEsIm5iZiI6MTQ3MzA5MTA3MX0.SqpEvHKy3k8c2GyDvAv0ob2tDJtU5bHCYVFCFpH5mLZe0Hpc-6h8PaqEzBJpzga6Vqbg4EXy3BcnsHstshzfmKM-cmclCRg3ow60I4ENlSUovk3kOlku7XFSl_GBLJkdWg3WswXfVOvkp_SAWtmDxvk83Z04pRsh3Xa7JjoW2IaUVbqPuEs3uhmLpyIAqnJCpmAZR1lcqrU2zusUD2uqyFrzbvMqY1NnhYGmRkywX0A8FRD3JnczMKynlMRedSEG-g8cTFM1GQKTCbisQMkfSxNQJsXHxqZavMxkgRZ9LLMAH9cB1Md2XiOTRZsBSFLter1oSjbXimvegGF3uo-ZnQ | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@13cef6a1 |2016-09-05 17:57:52.071 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.client.OidcClient : credentials : #OidcCredentials# | code: c8ff6b4a8b52e79d01d6e74c8a8c0546 | clientName: test | accessToken: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJjbGllbnRfaWQiOiJ0ZXN0Iiwic2NvcGUiOlsib3BlbmlkIiwiYXBpMSJdLCJzdWIiOiI4MTg3MjciLCJhbXIiOlsicGFzc3dvcmQiXSwiYXV0aF90aW1lIjoxNDczMDkxMDY5LCJpZHAiOiJpZHNydiIsInJvbGUiOlsiQWRtaW4iLCJHZWVrIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMCIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJleHAiOjE0NzMwOTQ2NzEsIm5iZiI6MTQ3MzA5MTA3MX0.SqpEvHKy3k8c2GyDvAv0ob2tDJtU5bHCYVFCFpH5mLZe0Hpc-6h8PaqEzBJpzga6Vqbg4EXy3BcnsHstshzfmKM-cmclCRg3ow60I4ENlSUovk3kOlku7XFSl_GBLJkdWg3WswXfVOvkp_SAWtmDxvk83Z04pRsh3Xa7JjoW2IaUVbqPuEs3uhmLpyIAqnJCpmAZR1lcqrU2zusUD2uqyFrzbvMqY1NnhYGmRkywX0A8FRD3JnczMKynlMRedSEG-g8cTFM1GQKTCbisQMkfSxNQJsXHxqZavMxkgRZ9LLMAH9cB1Md2XiOTRZsBSFLter1oSjbXimvegGF3uo-ZnQ | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@13cef6a1 |2016-09-05 17:57:52.071 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: access_token / value: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJjbGllbnRfaWQiOiJ0ZXN0Iiwic2NvcGUiOlsib3BlbmlkIiwiYXBpMSJdLCJzdWIiOiI4MTg3MjciLCJhbXIiOlsicGFzc3dvcmQiXSwiYXV0aF90aW1lIjoxNDczMDkxMDY5LCJpZHAiOiJpZHNydiIsInJvbGUiOlsiQWRtaW4iLCJHZWVrIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMCIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJleHAiOjE0NzMwOTQ2NzEsIm5iZiI6MTQ3MzA5MTA3MX0.SqpEvHKy3k8c2GyDvAv0ob2tDJtU5bHCYVFCFpH5mLZe0Hpc-6h8PaqEzBJpzga6Vqbg4EXy3BcnsHstshzfmKM-cmclCRg3ow60I4ENlSUovk3kOlku7XFSl_GBLJkdWg3WswXfVOvkp_SAWtmDxvk83Z04pRsh3Xa7JjoW2IaUVbqPuEs3uhmLpyIAqnJCpmAZR1lcqrU2zusUD2uqyFrzbvMqY1NnhYGmRkywX0A8FRD3JnczMKynlMRedSEG-g8cTFM1GQKTCbisQMkfSxNQJsXHxqZavMxkgRZ9LLMAH9cB1Md2XiOTRZsBSFLter1oSjbXimvegGF3uo-ZnQ / class com.nimbusds.oauth2.sdk.token.BearerAccessToken2016-09-05 17:57:52.071 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: id_token / value: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJub25jZSI6ImxLbzh0dFg5MHQ3WVA5NmNGanpKMDh6LUY5ejBvYW5HaGdweEw3SkUzaDAiLCJpYXQiOjE0NzMwOTEwNzIsInN1YiI6IjgxODcyNyIsImFtciI6WyJwYXNzd29yZCJdLCJhdXRoX3RpbWUiOjE0NzMwOTEwNjksImlkcCI6Imlkc3J2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoidGVzdCIsImV4cCI6MTQ3MzA5MTM3MiwibmJmIjoxNDczMDkxMDcyfQ.JbcDzF2ObE92o1RkDORVcrfqHQTwcnq8_p_QdfEXM_0JFyDApN2m8im-lvjjD35utU82iYd0KO0BUeIsIAGZH-J9VzZYJ7GC1WrElCiX7ikFWmZTTiDCOpXIQdlSRJ_3s70Xq3wW3kEG_tcpjoDdcneEQOjfrtjCejtyFYOtwQ36a-V4K0_Xw203P8E0MDfqzSuAL5SH-d8L6m8hP1yuvvpvV3NAFpqpeUIwvOXLZlHVh32p2gA0EoGmd63V6U8n93K5hhLHYj95y4JKXQ47mdljkx_ShJU6RnbbZnXdhfQp5QSSpth0Tg0rNb664xKKFHTZtGQrS8FCK650qUWI1g / class java.lang.String2016-09-05 17:57:52.071 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : identifier: 8187272016-09-05 17:57:52.112 DEBUG 5010 --- [nio-8080-exec-4] o.p.o.p.creator.OidcProfileCreator : Token response: status=200, content={"sub":"818727"}2016-09-05 17:57:52.112 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: sub / value: 818727 / class java.lang.String2016-09-05 17:57:52.112 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: aud / value: [test] / class java.util.ArrayList2016-09-05 17:57:52.112 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: nbf / value: 2016-09-05T17:57:52CEST / class org.pac4j.core.profile.FormattedDate2016-09-05 17:57:52.113 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: idp / value: idsrv / class java.lang.String2016-09-05 17:57:52.113 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: amr / value: ["password"] / class net.minidev.json.JSONArray2016-09-05 17:57:52.113 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: auth_time / value: 2016-09-05T17:57:49CEST / class org.pac4j.core.profile.FormattedDate2016-09-05 17:57:52.113 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: iss / value: http://localhost:5000 / class java.lang.String2016-09-05 17:57:52.113 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: exp / value: 2016-09-05T18:02:52CEST / class org.pac4j.core.profile.FormattedDate2016-09-05 17:57:52.113 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: nonce / value: lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0 / class java.lang.String2016-09-05 17:57:52.113 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.profile.OidcProfile : converted to => key: iat / value: 2016-09-05T17:57:52CEST / class org.pac4j.core.profile.FormattedDate2016-09-05 17:57:52.113 DEBUG 5010 --- [nio-8080-exec-4] org.pac4j.oidc.client.OidcClient : profile: #OidcProfile# | id: 818727 | attributes: {access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJjbGllbnRfaWQiOiJ0ZXN0Iiwic2NvcGUiOlsib3BlbmlkIiwiYXBpMSJdLCJzdWIiOiI4MTg3MjciLCJhbXIiOlsicGFzc3dvcmQiXSwiYXV0aF90aW1lIjoxNDczMDkxMDY5LCJpZHAiOiJpZHNydiIsInJvbGUiOlsiQWRtaW4iLCJHZWVrIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMCIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJleHAiOjE0NzMwOTQ2NzEsIm5iZiI6MTQ3MzA5MTA3MX0.SqpEvHKy3k8c2GyDvAv0ob2tDJtU5bHCYVFCFpH5mLZe0Hpc-6h8PaqEzBJpzga6Vqbg4EXy3BcnsHstshzfmKM-cmclCRg3ow60I4ENlSUovk3kOlku7XFSl_GBLJkdWg3WswXfVOvkp_SAWtmDxvk83Z04pRsh3Xa7JjoW2IaUVbqPuEs3uhmLpyIAqnJCpmAZR1lcqrU2zusUD2uqyFrzbvMqY1NnhYGmRkywX0A8FRD3JnczMKynlMRedSEG-g8cTFM1GQKTCbisQMkfSxNQJsXHxqZavMxkgRZ9LLMAH9cB1Md2XiOTRZsBSFLter1oSjbXimvegGF3uo-ZnQ, sub=818727, aud=[test], nbf=2016-09-05T17:57:52CEST, idp=idsrv, amr=["password"], auth_time=2016-09-05T17:57:49CEST, id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJub25jZSI6ImxLbzh0dFg5MHQ3WVA5NmNGanpKMDh6LUY5ejBvYW5HaGdweEw3SkUzaDAiLCJpYXQiOjE0NzMwOTEwNzIsInN1YiI6IjgxODcyNyIsImFtciI6WyJwYXNzd29yZCJdLCJhdXRoX3RpbWUiOjE0NzMwOTEwNjksImlkcCI6Imlkc3J2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoidGVzdCIsImV4cCI6MTQ3MzA5MTM3MiwibmJmIjoxNDczMDkxMDcyfQ.JbcDzF2ObE92o1RkDORVcrfqHQTwcnq8_p_QdfEXM_0JFyDApN2m8im-lvjjD35utU82iYd0KO0BUeIsIAGZH-J9VzZYJ7GC1WrElCiX7ikFWmZTTiDCOpXIQdlSRJ_3s70Xq3wW3kEG_tcpjoDdcneEQOjfrtjCejtyFYOtwQ36a-V4K0_Xw203P8E0MDfqzSuAL5SH-d8L6m8hP1yuvvpvV3NAFpqpeUIwvOXLZlHVh32p2gA0EoGmd63V6U8n93K5hhLHYj95y4JKXQ47mdljkx_ShJU6RnbbZnXdhfQp5QSSpth0Tg0rNb664xKKFHTZtGQrS8FCK650qUWI1g, iss=http://localhost:5000, exp=2016-09-05T18:02:52CEST, nonce=lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0, iat=2016-09-05T17:57:52CEST} | roles: [] | permissions: [] | isRemembered: false |2016-09-05 17:57:52.113 DEBUG 5010 --- [nio-8080-exec-4] o.p.c.e.J2ERenewSessionCallbackLogic : profile: #OidcProfile# | id: 818727 | attributes: {access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJjbGllbnRfaWQiOiJ0ZXN0Iiwic2NvcGUiOlsib3BlbmlkIiwiYXBpMSJdLCJzdWIiOiI4MTg3MjciLCJhbXIiOlsicGFzc3dvcmQiXSwiYXV0aF90aW1lIjoxNDczMDkxMDY5LCJpZHAiOiJpZHNydiIsInJvbGUiOlsiQWRtaW4iLCJHZWVrIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMCIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJleHAiOjE0NzMwOTQ2NzEsIm5iZiI6MTQ3MzA5MTA3MX0.SqpEvHKy3k8c2GyDvAv0ob2tDJtU5bHCYVFCFpH5mLZe0Hpc-6h8PaqEzBJpzga6Vqbg4EXy3BcnsHstshzfmKM-cmclCRg3ow60I4ENlSUovk3kOlku7XFSl_GBLJkdWg3WswXfVOvkp_SAWtmDxvk83Z04pRsh3Xa7JjoW2IaUVbqPuEs3uhmLpyIAqnJCpmAZR1lcqrU2zusUD2uqyFrzbvMqY1NnhYGmRkywX0A8FRD3JnczMKynlMRedSEG-g8cTFM1GQKTCbisQMkfSxNQJsXHxqZavMxkgRZ9LLMAH9cB1Md2XiOTRZsBSFLter1oSjbXimvegGF3uo-ZnQ, sub=818727, aud=[test], nbf=2016-09-05T17:57:52CEST, idp=idsrv, amr=["password"], auth_time=2016-09-05T17:57:49CEST, id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJub25jZSI6ImxLbzh0dFg5MHQ3WVA5NmNGanpKMDh6LUY5ejBvYW5HaGdweEw3SkUzaDAiLCJpYXQiOjE0NzMwOTEwNzIsInN1YiI6IjgxODcyNyIsImFtciI6WyJwYXNzd29yZCJdLCJhdXRoX3RpbWUiOjE0NzMwOTEwNjksImlkcCI6Imlkc3J2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoidGVzdCIsImV4cCI6MTQ3MzA5MTM3MiwibmJmIjoxNDczMDkxMDcyfQ.JbcDzF2ObE92o1RkDORVcrfqHQTwcnq8_p_QdfEXM_0JFyDApN2m8im-lvjjD35utU82iYd0KO0BUeIsIAGZH-J9VzZYJ7GC1WrElCiX7ikFWmZTTiDCOpXIQdlSRJ_3s70Xq3wW3kEG_tcpjoDdcneEQOjfrtjCejtyFYOtwQ36a-V4K0_Xw203P8E0MDfqzSuAL5SH-d8L6m8hP1yuvvpvV3NAFpqpeUIwvOXLZlHVh32p2gA0EoGmd63V6U8n93K5hhLHYj95y4JKXQ47mdljkx_ShJU6RnbbZnXdhfQp5QSSpth0Tg0rNb664xKKFHTZtGQrS8FCK650qUWI1g, iss=http://localhost:5000, exp=2016-09-05T18:02:52CEST, nonce=lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0, iat=2016-09-05T17:57:52CEST} | roles: [] | permissions: [] | isRemembered: false |2016-09-05 17:57:52.113 DEBUG 5010 --- [nio-8080-exec-4] o.p.c.e.J2ERenewSessionCallbackLogic : Discard old session and replace by a new one...2016-09-05 17:57:52.114 DEBUG 5010 --- [nio-8080-exec-4] o.p.c.e.J2ERenewSessionCallbackLogic : redirectUrl: http://localhost:8080/oidc/index.html2016-09-05 17:57:52.116 DEBUG 5010 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : === SECURITY ===2016-09-05 17:57:52.116 DEBUG 5010 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : url: http://localhost:8080/oidc/index.html2016-09-05 17:57:52.116 DEBUG 5010 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : matchers: null2016-09-05 17:57:52.116 DEBUG 5010 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : clients: test2016-09-05 17:57:52.116 DEBUG 5010 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : currentClients: [#OidcClient# | name: test | callbackUrl: http://localhost:8080/callback?client_name=test | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@3bcf355b | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@6a4cd1fb | redirectActionBuilder: #OidcRedirectActionBuilder# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | | credentialsExtractor: #OidcExtractor# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientName: test | | authenticator: #OidcAuthenticator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clientAuthentication: com.nimbusds.oauth2.sdk.auth.ClientSecretBasic@569b8363 | | profileCreator: #OidcProfileCreator# | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | | clazz: class org.pac4j.oidc.profile.OidcProfile | | configuration: #OidcConfiguration# | clientId: test | discoveryURI: http://localhost:5000/.well-known/openid-configuration | scope: openid api1 | customParams: {prompt=consent} | clientAuthenticationMethod: client_secret_basic | useNonce: true | preferredJwsAlgorithm: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@68023e6d | callbackUrl: http://localhost:8080/callback?client_name=test | responseType: null | responseMode: null | |]2016-09-05 17:57:52.116 DEBUG 5010 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : loadProfilesFromSession: true2016-09-05 17:57:52.117 DEBUG 5010 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : profiles: [#OidcProfile# | id: 818727 | attributes: {access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJjbGllbnRfaWQiOiJ0ZXN0Iiwic2NvcGUiOlsib3BlbmlkIiwiYXBpMSJdLCJzdWIiOiI4MTg3MjciLCJhbXIiOlsicGFzc3dvcmQiXSwiYXV0aF90aW1lIjoxNDczMDkxMDY5LCJpZHAiOiJpZHNydiIsInJvbGUiOlsiQWRtaW4iLCJHZWVrIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMCIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJleHAiOjE0NzMwOTQ2NzEsIm5iZiI6MTQ3MzA5MTA3MX0.SqpEvHKy3k8c2GyDvAv0ob2tDJtU5bHCYVFCFpH5mLZe0Hpc-6h8PaqEzBJpzga6Vqbg4EXy3BcnsHstshzfmKM-cmclCRg3ow60I4ENlSUovk3kOlku7XFSl_GBLJkdWg3WswXfVOvkp_SAWtmDxvk83Z04pRsh3Xa7JjoW2IaUVbqPuEs3uhmLpyIAqnJCpmAZR1lcqrU2zusUD2uqyFrzbvMqY1NnhYGmRkywX0A8FRD3JnczMKynlMRedSEG-g8cTFM1GQKTCbisQMkfSxNQJsXHxqZavMxkgRZ9LLMAH9cB1Md2XiOTRZsBSFLter1oSjbXimvegGF3uo-ZnQ, sub=818727, aud=[test], nbf=2016-09-05T17:57:52CEST, idp=idsrv, amr=["password"], auth_time=2016-09-05T17:57:49CEST, id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJub25jZSI6ImxLbzh0dFg5MHQ3WVA5NmNGanpKMDh6LUY5ejBvYW5HaGdweEw3SkUzaDAiLCJpYXQiOjE0NzMwOTEwNzIsInN1YiI6IjgxODcyNyIsImFtciI6WyJwYXNzd29yZCJdLCJhdXRoX3RpbWUiOjE0NzMwOTEwNjksImlkcCI6Imlkc3J2IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjoidGVzdCIsImV4cCI6MTQ3MzA5MTM3MiwibmJmIjoxNDczMDkxMDcyfQ.JbcDzF2ObE92o1RkDORVcrfqHQTwcnq8_p_QdfEXM_0JFyDApN2m8im-lvjjD35utU82iYd0KO0BUeIsIAGZH-J9VzZYJ7GC1WrElCiX7ikFWmZTTiDCOpXIQdlSRJ_3s70Xq3wW3kEG_tcpjoDdcneEQOjfrtjCejtyFYOtwQ36a-V4K0_Xw203P8E0MDfqzSuAL5SH-d8L6m8hP1yuvvpvV3NAFpqpeUIwvOXLZlHVh32p2gA0EoGmd63V6U8n93K5hhLHYj95y4JKXQ47mdljkx_ShJU6RnbbZnXdhfQp5QSSpth0Tg0rNb664xKKFHTZtGQrS8FCK650qUWI1g, iss=http://localhost:5000, exp=2016-09-05T18:02:52CEST, nonce=lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0, iat=2016-09-05T17:57:52CEST} | roles: [] | permissions: [] | isRemembered: false |]2016-09-05 17:57:52.117 DEBUG 5010 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : authorizers: null2016-09-05 17:57:52.117 DEBUG 5010 --- [nio-8080-exec-2] o.p.core.engine.DefaultSecurityLogic : authenticated and authorized -> grant access
Here are my IdentityServer3 logs:
Application started. Press Ctrl+C to shut down.info: Microsoft.AspNet.Hosting.Internal.HostingEngine[1][17:57:45 INF] Start authorize request[17:57:45 INF] Start authorize request protocol validation[17:57:45 INF] Authorize request validation success
{"ClientId": "test","ClientName": "test","RedirectUri": "http://localhost:8080/callback?client_name=test","AllowedRedirectUris": [
],"SubjectId": "unknown",
"ResponseType": "code","ResponseMode": "query","Flow": "AuthorizationCode","RequestedScopes": "openid api1",
"State": "3s4B7RoEXIDpH33wZDyEoV3_gyeTMNGLZGvy9P67LCE","Nonce": "lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0","PromptMode": "consent",
"Raw": {"response_type": "code","client_id": "test","redirect_uri": "http://localhost:8080/callback?client_name=test","scope": "openid api1",
"state": "3s4B7RoEXIDpH33wZDyEoV3_gyeTMNGLZGvy9P67LCE","nonce": "lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0","prompt": "consent"}}[17:57:45 INF] User is not authenticated. Redirecting to login.[17:57:45 INF] End authorize request[17:57:45 INF] Redirecting to login page[17:57:45 DBG] Protecting message: {"ReturnUrl":"http://localhost:5000/connect/authorize?response_type=code&client_id=test&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback%3Fclient_name%3Dtest&scope=openid%20api1&state=3s4B7RoEXIDpH33wZDyEoV3_gyeTMNGLZGvy9P67LCE&nonce=lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0&prompt=consent","ClientId":"test","AcrValues":[],"Created":636086878652145190}info: Microsoft.AspNet.Hosting.Internal.HostingEngine[2]Request finished in 0,0293ms 302info: Microsoft.AspNet.Hosting.Internal.HostingEngine[1]Request starting HTTP/1.1 GET http://localhost:5000/login?signin=36690a7a7d2b8e27f975b6b210a2c429[17:57:45 INF] Login page requested[17:57:45 DBG] signin message passed to login: {"ClientId": "test","IdP": null,"Tenant": null,"LoginHint": null,"DisplayMode": null,"UiLocales": null,"AcrValues": [],"Created": 636086878652145190}[17:57:45 INF] rendering login pageinfo: Microsoft.AspNet.Hosting.Internal.HostingEngine[2]Request finished in 0,0106ms 200 text/html; charset=utf-8info: Microsoft.AspNet.Hosting.Internal.HostingEngine[1]Request starting HTTP/1.1 GET http://localhost:5000/assets/styles.min.cssinfo: Microsoft.AspNet.Hosting.Internal.HostingEngine[1]Request starting HTTP/1.1 GET http://localhost:5000/assets/scripts.2.0.0.jsinfo: Microsoft.AspNet.Hosting.Internal.HostingEngine[2]Request finished in 0,0016ms 200 application/javascriptinfo: Microsoft.AspNet.Hosting.Internal.HostingEngine[2]Request finished in 0,0017ms 200 text/cssinfo: Microsoft.AspNet.Hosting.Internal.HostingEngine[1]Request starting HTTP/1.1 POST http://localhost:5000/login?signin=36690a7a7d2b8e27f975b6b210a2c429 application/x-www-form-urlencoded 196[17:57:49 INF] Login page submitted[17:57:49 INF] Login credentials successfully validated by user service[17:57:49 INF] Calling PostAuthenticateAsync on the user service[17:57:49 INF] issuing primary signin cookie[17:57:49 INF] redirecting to: http://localhost:5000/connect/authorize?response_type=code&client_id=test&redirect_uri=http:%2F%2Flocalhost:8080%2Fcallback%3Fclient_name%3Dtest&scope=openid api1&state=3s4B7RoEXIDpH33wZDyEoV3_gyeTMNGLZGvy9P67LCE&nonce=lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0&prompt=consentinfo: Microsoft.AspNet.Hosting.Internal.HostingEngine[2]Request finished in 0,0059ms 302info: Microsoft.AspNet.Hosting.Internal.HostingEngine[1][17:57:49 INF] Start authorize request[17:57:49 INF] Start authorize request protocol validation[17:57:49 INF] Authorize request validation success
{"ClientId": "test","ClientName": "test","RedirectUri": "http://localhost:8080/callback?client_name=test","AllowedRedirectUris": [
],"SubjectId": "818727",
"ResponseType": "code","ResponseMode": "query","Flow": "AuthorizationCode","RequestedScopes": "openid api1",
"State": "3s4B7RoEXIDpH33wZDyEoV3_gyeTMNGLZGvy9P67LCE","Nonce": "lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0","PromptMode": "consent","SessionId": "fc214dc67e962859fb36749e6c577f3a",
"Raw": {"response_type": "code","client_id": "test","redirect_uri": "http://localhost:8080/callback?client_name=test","scope": "openid api1",
"state": "3s4B7RoEXIDpH33wZDyEoV3_gyeTMNGLZGvy9P67LCE","nonce": "lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0","prompt": "consent"}}[17:57:49 INF] Showing consent screen[17:57:49 INF] End authorize requestinfo: Microsoft.AspNet.Hosting.Internal.HostingEngine[2]Request finished in 0,0021ms 200 text/html; charset=utf-8info: Microsoft.AspNet.Hosting.Internal.HostingEngine[1]Request starting HTTP/1.1 GET http://localhost:5000/assets/libs/fonts/glyphicons-halflings-regular.woffinfo: Microsoft.AspNet.Hosting.Internal.HostingEngine[2]Request finished in 0,0001ms 200 application/font-woffinfo: Microsoft.AspNet.Hosting.Internal.HostingEngine[1]Request starting HTTP/1.1 POST http://localhost:5000/connect/consent?response_type=code&client_id=test&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback%3Fclient_name%3Dtest&scope=openid%20api1&state=3s4B7RoEXIDpH33wZDyEoV3_gyeTMNGLZGvy9P67LCE&nonce=lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0&prompt=consent application/x-www-form-urlencoded 210[17:57:51 INF] Resuming from consent, restarting validation[17:57:51 INF] Start authorize request protocol validation[17:57:51 INF] Authorize request validation success
{"ClientId": "test","ClientName": "test","RedirectUri": "http://localhost:8080/callback?client_name=test","AllowedRedirectUris": [
],"SubjectId": "818727",
"ResponseType": "code","ResponseMode": "query","Flow": "AuthorizationCode","RequestedScopes": "openid api1",
"State": "3s4B7RoEXIDpH33wZDyEoV3_gyeTMNGLZGvy9P67LCE","Nonce": "lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0","PromptMode": "consent","SessionId": "fc214dc67e962859fb36749e6c577f3a",
"Raw": {"response_type": "code","client_id": "test","redirect_uri": "http://localhost:8080/callback?client_name=test","scope": "openid api1",
"state": "3s4B7RoEXIDpH33wZDyEoV3_gyeTMNGLZGvy9P67LCE","nonce": "lKo8ttX90t7YP96cFjzJ08z-F9z0oanGhgpxL7JE3h0","prompt": "consent"}}[17:57:51 INF] Creating Authorization Code Flow response.[17:57:51 INF] Redirecting to: http://localhost:8080/callback?client_name=testinfo: Microsoft.AspNet.Hosting.Internal.HostingEngine[2]Request finished in 0,0017ms 302info: Microsoft.AspNet.Hosting.Internal.HostingEngine[1]Request starting HTTP/1.1 POST http://localhost:5000/connect/token application/x-www-form-urlencoded; charset=UTF-8 142[17:57:51 INF] Start token request[17:57:51 DBG] Start client validation[17:57:51 DBG] Start parsing for X.509 certificate[17:57:51 DBG] client_id is not found in post body[17:57:51 DBG] Start parsing for secret in post body[17:57:51 DBG] No secret in post body found[17:57:51 DBG] Start parsing Basic Authentication secret[17:57:51 DBG] Parser found client secret: BasicAuthenticationSecretParser[17:57:51 INF] Client secret id found: test[17:57:51 DBG] Secret validator success: HashedSharedSecretValidator[17:57:51 INF] Client validation success[17:57:51 INF] Start token request validation[17:57:51 INF] Start validation of authorization code token request[17:57:51 INF] Validation of authorization code token request success[17:57:51 INF] Token request validation success
{"ClientId": "test","ClientName": "test",
"GrantType": "authorization_code","AuthorizationCode": "c8ff6b4a8b52e79d01d6e74c8a8c0546","Raw": {"code": "c8ff6b4a8b52e79d01d6e74c8a8c0546",
"redirect_uri": "http://localhost:8080/callback?client_name=test",
"grant_type": "authorization_code"}}[17:57:51 INF] Creating token response[17:57:51 INF] Processing authorization code request[17:57:51 DBG] Creating access token[17:57:51 DBG] Creating JWT access token[17:57:52 DBG] Creating identity token[17:57:52 INF] Getting claims for identity token for subject: 818727[17:57:52 DBG] Creating JWT identity token[17:57:52 INF] End token request[17:57:52 INF] Returning token response.info: Microsoft.AspNet.Hosting.Internal.HostingEngine[2]Request finished in 0,0123ms 200 application/json; charset=utf-8info: Microsoft.AspNet.Hosting.Internal.HostingEngine[1]Request starting HTTP/1.1 GET http://localhost:5000/connect/userinfo[17:57:52 INF] Start userinfo request[17:57:52 INF] Token found: AuthorizationHeader[17:57:52 INF] Start access token validation[17:57:52 INF] Token validation success{"ValidateLifetime": true,"AccessTokenType": "Jwt","ExpectedScope": "openid","Claims": {"client_id": "test","scope": ["openid","api1"],"sub": "818727","amr": "password","auth_time": "1473091069","idp": "idsrv","role": ["Admin","Geek"],"iss": "http://localhost:5000","aud": "http://localhost:5000/resources","exp": "1473094671","nbf": "1473091071"}}[17:57:52 INF] Creating userinfo response[17:57:52 INF] Scopes in access token: openid api1[17:57:52 INF] Requested claim types: sub[17:57:52 INF] Profile service returned to the following claim types: sub[17:57:52 INF] End userinfo request[17:57:52 INF] Returning userinfo response.info: Microsoft.AspNet.Hosting.Internal.HostingEngine[2]Request finished in 0,0039ms 200 application/json; charset=utf-8
I will try to login with mitreid.org using OpenID Connect and let you know.
Thanks.
Best regards,
Jérôme
--
Jérôme LELEU
Sep 5, 2016, 12:36:43 PM9/5/16
to ThomasW, pac4j-users
Hi,
I just created an OpenID Connect client on mitreid.org and got the same error.
Though, I'm not sure it is related to pac4j. Whatever the identifier I have for my new client (example: 6d9e17c6-348f-40cf-b6e6-86fcf3be2081), I always got the same error as you (for the following authorize url: https://mitreid.org/authorize?response_type=code&client_id=6d9e17c6-348f-40cf-b6e6-86fcf3be2081&redirect_uri=http%3A%2F%2Fwww.pac4j.org%2Ftest.html&scope=openid+profile+email&state=G7ysqBtBQ8GSbW7-sbcBPaOI_JEG-IKYj4ne53Pipdc)
-> {"error":"invalid_client","error_description":"Client with id 575dd7eb-50b9-441e-9bc7-ee62cf42d721 was not found"}
The identifier in the error message has nothing to do with my identifier. It's fairly strange! Or maybe there is something wrong in terms of configuration.
I tried to contact mitreid.org.
Thanks.
Best regards,
Jérôme
Jérôme LELEU
Sep 6, 2016, 4:44:25 AM9/6/16
to ThomasW, pac4j-users
Hi,
The server has been reset and now it works perfectly: https://github.com/pac4j/pac4j/blob/master/pac4j-oidc/src/test/java/org/pac4j/oidc/run/RunMitreIdOrg.java
Thanks.
Best regards,
Jérôme
ThomasW
Sep 6, 2016, 11:14:13 AM9/6/16
to pac4j-users, thomas...@gmail.com
Thank you very much Jérôme !!
Your logfiles helped me ! And thanks for informing Mitreid people ;-)
My code is also working with MitreID server and I found the IdentityServer error.
Thanks for your great and patient help so far !
I might come with new questions some time later ;-)
Jérôme LELEU
Sep 6, 2016, 12:36:14 PM9/6/16
to ThomasW, pac4j-users
Great news!
--
ThomasW
Sep 8, 2016, 10:13:27 AM9/8/16
to pac4j-users, thomas...@gmail.com
Is it possible to swap out all the openID connect settings (clientID, secret,DiscoveryURI,scope, callbackURI....) to the Spring Boot application.properties file ?
Jérôme LELEU
Sep 8, 2016, 10:41:26 AM9/8/16
to ThomasW, pac4j-users
Hi,
There is nothing out of the box to handle that. Though, you can certainly do it on your own.
Take a look at: http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-external-config.html
Thanks.
Best regards,
Jérôme
2016-09-08 16:13 GMT+02:00 ThomasW <thomas...@gmail.com>:
Is it possible to swap out all the openID connect settings (clientID, secret,DiscoveryURI,scope, callbackURI....) to the Spring Boot application.properties file ?
--
ThomasW
Sep 8, 2016, 11:22:51 AM9/8/16
to pac4j-users, thomas...@gmail.com
Ok thanks !
Just another question.
I was playing with the implict flow and MitreID server.
I put additionally the following code to enable the implicit flow :
oidcConfiguration.setUseNonce(true);
oidcConfiguration.setResponseType("id_token");
oidcConfiguration.setResponseMode("form_post");
And I set in Mitreid server to :
- Grant Types : implicit
- Response Types : id_token
But accessing the secured RESTful URL results that the online MitreID was showing this error message :
Error: unsupported_response_type There was an error processing your request. The server's message was: Unsupported response types: [id_token]Am Donnerstag, 8. September 2016 16:41:26 UTC+2 schrieb Jérôme LELEU:
Hi,There is nothing out of the box to handle that. Though, you can certainly do it on your own.Take a look at: http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-external-config.htmlThanks.Best regards,Jérôme
2016-09-08 16:13 GMT+02:00 ThomasW <thomas...@gmail.com>:
Is it possible to swap out all the openID connect settings (clientID, secret,DiscoveryURI,scope, callbackURI....) to the Spring Boot application.properties file ?
--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
Jérôme LELEU
Sep 8, 2016, 12:27:23 PM9/8/16
to ThomasW, pac4j-users
Hi,
On the MitreID client configuration screen, on the "Access" tab, did you check the "id_token" response type?
Thanks.
Best regards,
Jérôme
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
ThomasW
Sep 9, 2016, 6:14:29 AM9/9/16
to pac4j-users, thomas...@gmail.com
Yes, I did :
2016-09-09 12:02:08.116 DEBUG 6188 --- [nio-8080-exec-5] o.p.o.r.OidcRedirectActionBuilder : Authentication request url: https://mitreid.org/authorize?response_type=id_token&client_id=f78f98d0-27b4-4ca5-a144-2e2f8f7caec3&response_mode=form_post&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback%3Fclient_name%3Dtest&scope=openid&state=tKSXG6mwhfHFMF2reroYrRFamee1EssplvbI5hL8edM&nonce=I-Pb6U9xdKvQQBq4tkP-SWcdJu8wO0HNovSL3r2hWlk
Jérôme LELEU
Sep 9, 2016, 8:05:47 AM9/9/16
to ThomasW, pac4j-users
Hi,
I just did the test and indeed, despite changing the configuration accordingly, I have the same error, but I don't think it's related to pac4j.
I get this URL: http://www.pac4j.org/test.html?error=unsupported_response_type&error_description=Unsupported%20response%20types:%20%5Bid_token%5D&state=NYaM8E13ysGBi2qOf6cIYCvev6UQ_LHYCTU1rqBMOow with the same error. It looks it's not supported on the server side.
Thanks.
Best regards,
Jérôme
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
ThomasW
Sep 9, 2016, 9:47:18 AM9/9/16
to pac4j-users, thomas...@gmail.com
Ok thank you !
I thought Mitreid would be the reference implementation regarding OpenID Connect.
I will try with IdentityServer and implicit flow.
Happy to know that pac4j oidc supports implicit flow ;-)
ThomasW
Sep 12, 2016, 7:55:34 AM9/12/16
to pac4j-users, thomas...@gmail.com
One more question :
What about pac4j's performance overhead for RESTful services ?
I am thinking how to design a server where 500 web and mobile users can concurrently access the pac4j protected RESTful services.
Btw, you should add a donation button on the pac4j website ;-)
Reply all
Reply to author
Forward
0 new messages