Wrong client credentials (WSO2 compatibility)

Resolved

(@romanhak)

The plugin is not compatible with WSO2 IS (version 5.8.0) due to sending authorization credentials (client ID and client secret) both in the request body and authorization header. WSO2 IS requires credentials to be sent only using one of the methods.

Log from WSO2:

[2019-08-27 10:42:37,523] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} -  Evaluating canAuthenticate of authenticator : BasicOAuthClientCredAuthenticator
[2019-08-27 10:42:37,523] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} -  Basic auth credentials exists as Authorization header. Hence returning true.
[2019-08-27 10:42:37,523] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} -  BasicOAuthClientCredAuthenticator authenticator can handle incoming request.
[2019-08-27 10:42:37,523] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} -  Authenticator BasicOAuthClientCredAuthenticator can authenticate the client request.  Hence trying to evaluate authentication
[2019-08-27 10:42:37,523] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} -  Client Id and Client Secret found in request body and Authorization header. Credentials should be sent in either request body or Authorization header, not both
[2019-08-27 10:42:37,523] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} -  Error while evaluating client authenticator : BasicOAuthClientCredAuthenticator
org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnException: Request body and headers contain authorization information
	at org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator.validateDuplicatedBasicAuthInfo(BasicAuthClientAuthenticator.java:191)
	at org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator.getClientId(BasicAuthClientAuthenticator.java:163)
...

In order to be compatible with WSO2 IS, the plugin code should be changed. Either send credentials only in the header or in request body. Or maybe there could be a configuration option for this.

We have fixed it temporarily by making changes in an OpenID connect handler file (wp-content/plugins/miniorange-openid-connect-client/handler/openidconnect_handler.php):

...
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Authorization: Basic'.base64_encode($clientid.":".$clientsecret),
    'Accept: application/json'
));
		
# here client_id and client_secret fields were removed from the request body
# curl_setopt( $ch, CURLOPT_POSTFIELDS, 'redirect_uri='.urlencode($redirect_url).'&grant_type='.$grant_type.'&client_id='.$clientid.'&client_secret='.$clientsecret.'&code='.$code);
curl_setopt( $ch, CURLOPT_POSTFIELDS, 'redirect_uri='.urlencode($redirect_url).'&grant_type='.$grant_type.'&code='.$code);

$response = curl_exec($ch);
...

Viewing 1 replies (of 1 total)

Plugin Author miniOrange
(@cyberlord92)

4 years, 6 months ago

Hi,

We have added the fix in new version and same will be released very soon.

Thanks.

Viewing 1 replies (of 1 total)

The topic ‘Wrong client credentials (WSO2 compatibility)’ is closed to new replies.