In IdentityServer4, I am using the HybridAndClientCredentials grantType for my client. When the token expires and the refresh token request fires, I get invalid_grant error. See the logs below for the request
Logs
> 11:14:56 Debug] IdentityServer4.Validation.TokenRequestValidator Start
> token request validation
>
> [11:14:56 Debug] IdentityServer4.Validation.TokenRequestValidator
> Start validation of refresh token request
>
> [11:14:56 Debug]
> IdentityServer4.EntityFramework.Stores.PersistedGrantStore
> MRNR65nTDUALsFTtuD6FKbzcHtXx9WB3xbclR+bdmJs= found in database: False
>
> [11:14:56 Debug] IdentityServer4.Stores.DefaultRefreshTokenStore
> refresh_token grant with value:
> 386dd398df5b20566cc41befd44564221f999e0704b9c6d8ed5b3200a3e6b51e not
> found in store.
>
> [11:14:56 Error] IdentityServer4.Validation.TokenValidator Invalid
> refresh token
>
> [11:14:56 Error] IdentityServer4.Validation.TokenRequestValidator
> Refresh token validation failed. aborting.
From the logs above, it's clear that a key in the persistedGrant isn't found in the database. I don't know how to rectify this.
What do you suggest I do?
Related
I have two Keycloak instances running locally. They are connected via OIDC. Everything works so far - I can login via any of Keycloak instances.
Now I am trying to setup token exchage and it fails with "invalid_token" error. I want to do "external to internal" token exchange. There are following Keycloak logs showing that Keycloak sending HTTP GET request with the token I provided to another Keycloak instance to get user info:
08:14:36,523 DEBUG http-outgoing-19 >> "GET /auth/realms/master/protocol/openid-connect/userinfo HTTP/1.1[\r][\n]"
08:14:36,523 DEBUG http-outgoing-19 >> "Authorization: Bearer eyJhbGciOiJSU...[\r][\n]"
and the response is 401:
08:14:36,530 DEBUG http-outgoing-19 << "HTTP/1.1 401 Unauthorized[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "X-XSS-Protection: 1; mode=block[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "X-Frame-Options: SAMEORIGIN[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Referrer-Policy: no-referrer[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Date: Tue, 24 Nov 2020 08:14:36 GMT[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "Connection: keep-alive[\r][\n]"
08:14:36,530 DEBUG http-outgoing-19 << "WWW-Authenticate: Bearer realm="master", error="invalid_token", error_description="Token verification failed"[\r][\n]"
The weird part is this: when I am sending the same response with curl using the same token that does not work in Keycloak - it works:
curl -X GET 'http://localhost:8050/auth/realms/master/protocol/openid-connect/userinfo' \
-H 'Authorization: Bearer eyJhbGciOiJSUzI1N...'
{"name":"r o","sub":"fff41a6f-6910-4419-8d46-7630b57ed420","email_verified":true,"preferred_username":"ttt","given_name":"r","family_name":"o"}
All permissions for token exchange set up (otherwise it does not send the request at all and it fails with another error).
What am I missing here? Any help is highly appreciated.
I figured it out. It worked using curl, because I was using localhost, and it did not work in Keycloak, because Keycloak used local IP address (192.168.X.X). The core reason is in the token that has to be exchanged. Field iss must match the IP/Host that is sending the request. In other words, in the token that I used to test token exchange, iss was equal http://localhost..., and I also used localhost in curl request. After using token that's been issued from 192.168.XX, token exchange started to work.
Actually, from a security perspective it totally makes sense. Only issuer of the token should be able to use it to get user info.
I am trying to authorize a user using code grant flow in Keycloak to a Quarkus application.
Here is the Quarkus configuration
# OIDC Configuration
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=web-application
quarkus.oidc.credentials.secret=ca21b304-XXX-XXX-XXX-51d38ef5da02
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.scopes=email
The client configuration for "web-application" has only Standard Flow enabled (for Code Grant Flow)
I access http://localhost:8080/
I'm redirected to Keycloak (url looks good with scope=openid+email&response_type=code&client_id=web-application
I log in with sample user account
I'm redirected back with the code
Then I get an exception in Quarkus
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 401 / Unauthorized / Response from server: {"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}
at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
at org.keycloak.authorization.client.util.TokenCallable.obtainAccessToken(TokenCallable.java:121)
at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:57)
at org.keycloak.authorization.client.resource.ProtectedResource.createFindRequest(ProtectedResource.java:276)
at org.keycloak.authorization.client.resource.ProtectedResource.access$300(ProtectedResource.java:38)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:205)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:202)
at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:210)
The error in Keycloak is:
09:58:25,420 WARN [org.keycloak.events] (default task-30) type=CLIENT_LOGIN_ERROR, realmId=quarkus, clientId=web-application, userId=null, ipAddress=172.17.0.1, error=invalid_client, grant_type=client_credentials, client_auth_method=client-secret
Question:
Why Quarkus tries to use "grant_type=client_credentials"? It should use the grant type = "authorization_code". This looks like a bug in Quarkus, but maybe there is a flag.
"Service Account Enabled" is off. Enabling it should fix the issue.
Could you try:
quarkus.oidc.client-type=web-app
instead of:
quarkus.oidc.application-type=web-app
Source: https://quarkus.io/guides/security-openid-connect-web-authentication
When using a OAuth 2.0 Bearer token with the following cURL command and receiving the following error, what does the TokenInvalid "Invalid application" error mean and how to handle this error? The application is valid in the Developer Portal and the same token is working for other API calls in an running app.
cURL Request
curl -XGET https://platform.ringcentral.com/restapi/v1.0/account/~ \
-H 'Authorization: Bearer <my_token>'
Response
401 Unauthorized
{
"errorCode" : "TokenInvalid",
"message" : "Invalid application",
"errors" : [ {
"errorCode" : "OAU-127",
"message" : "Invalid application"
} ]
}
RingCentral operates different API environments that use different application definitions (client ids and secrets). A token and application that is valid in one environment may not be valid in another.
A common reason this error can occur is when a token or application is only valid in the sandbox environment is being used in the production environment. For example, this error will be encountered when making a request to the production environment (https://platform.ringcentral.com) with a token intended for the sandbox environment (https://platform.devtest.ringcentral.com).
When trying to execute docker container with gatewayid & sectoken, it fails with error "The Secure Gateway gateway ID was either not recognized or requires a security token to connect, error was: 401". And yet when I manually add via the CLI, it's successful.
I suspect it's because my security token has '--' in it. I tried '', "", and escaping characters on command line. but nothing worked. Fails in both Win10 and RHEL7.
Here's the console:
C:\Users\DebraJohnson>docker run -p 9023:9003 -it ibmcom/secure-gateway-client <gateway_id> --t <sectoken>
IBM Bluemix Secure Gateway Client Version 1.8.0fp4
....
<press enter for the command line>
[2018-04-16 09:12:17.993] [INFO] (Client ID 1) No password provided. The UI will not require a password for access
[2018-04-16 09:12:18.008] [WARN] (Client ID 1) UI Server started. The UI is not currently password protected
[2018-04-16 09:12:18.009] [INFO] (Client ID 1) Visit localhost:9003/dashboard to view the UI.
cli> [2018-04-16 09:12:18.327] [INFO] (Client ID 13) Setting log level to INFO
[2018-04-16 09:12:18.665] [ERROR] (Client ID 13) The Secure Gateway gateway ID was either not recognized or requires a security token to connect, error was: 401
cli> [2018-04-16 09:12:18.671] [INFO] (Client ID 13) Process exiting without errors due to user or server request
cli> sectoken <sectoken>
cli> connect <gateway_id>
cli> [2018-04-16 09:12:43.095] [INFO] (Client ID 27) Setting log level to INFO
[2018-04-16 09:12:43.774] [INFO] (Client ID 27) The Secure Gateway tunnel is connected
[2018-04-16 09:12:43.868] [INFO] (Client ID xxxxxxxxxxx_Hsu) Your Client ID is xxxxxxxxxxx_Hsu
xxxxxxxxxxx_Hsu>
Thanks
Having a -- as part of the security token could be the reason why you got 403 error. Can you please try regenerating the security token and connect the gateway again.
If you still have issues please open a support ticket (https://console.bluemix.net/docs/get-support/howtogetsupport.html#getting-customer-support) where you can provide the gateway id for us to look further into this.
I'm trying to follow this tutorial https://github.com/spring-projects/spring-xd-samples/tree/master/analytics-dashboard
I did the configuration on modules.yml
twitter:
consumerKey: {your-consumer-key}
consumerSecret: {your-consumer-secret}
accessToken: {your-access-token}
accessTokenSecret: {your-access-token-secret}
with my own keys and then when i run
stream create tweets --definition "twitterstream | log" --deploy
this error appear
2016-05-24T12:48:07-0500 1.3.1.RELEASE ERROR twitterSource-1-1 twitter.TwitterStreamChannelAdapter - Twitter authentication failed: 401 Authorization Required
401 error means "Authentication credentials were missing or incorrect". Make sure the credentials is correct. see https://dev.twitter.com/overview/api/response-codes