Open MohammedAdain opened 1 year ago
tpazderka
commented
1 year ago I am not sure how you have created the client in your OP, but it looks like you are using a default configuration for authentication method (client_secret_post).
So you have to either reconfigure Keycloak to use the correct method, or change the config of the client on the OP and switch the method to client_secret_basic.
MohammedAdain
commented
1 year ago change the config of the client on the OP and switch the method to client_secret_basic. I tried this too, but surprisingly I end up with the exact same error
2022-11-21 22:41:29,709 oic.utils.authn.client:ERROR Wrong authentication method used: client_secret_post != client_secret_basic 2022-11-21 22:41:29,709 oic.oic.provider:ERROR Failed to verify client due to: Wrong authentication method used 2022-11-21 22:41:29,709 oic.oic.provider:ERROR No client_id, authentication failed
On further debugging, I noticed the flow ends up in the block https://github.com/OpenIDC/pyoidc/blob/master/src/oic/utils/authn/client.py#L517 which is due to authnbeing set as None
tpazderka
commented
1 year ago Eh, sorry. Got the order of the reported methods mixed up... This is about token endpoint and Keycloak is using client_secret_post but the OP is expecting client_secret_basic since nothing is configured.
Set token_endpoint_auth_method to client_secret_post for your client.
MohammedAdain
commented
1 year ago Thanks @tpazderka but I don't see an option to set token_endpoint_auth_method
python ../../src/oic/utils/client_management.py -c client_db
Enter redirect_uris one at the time, end with a blank line:
?: https://keycloak-dev.ia55.net/realms/master/broker/pyoidc/endpoint
?:
Enter policy_uri or just return:
Enter logo_uri or just return:
{'client_secret': '47f22a7d8263182dec8dc0d6e8b0030cbfc006de9a0dbd47170ea591', 'client_id': 'FlMLfaucyBKE', 'client_salt': 'VGNK8YFW', 'redirect_uris': [['https://keycloak-dev.ia55.net/realms/master/broker/pyoidc/endpoint', None]]}Am I missing something here?
tpazderka
commented
1 year ago Yes, the shelve client script does not allow manipulation of all the attributes. So you would have to do that manually manually.
Dump the file to json via -D and edit the resulting JSON file to add the token_endpoint_auth_method and load it back via -I.
MohammedAdain
commented
1 year ago Thanks for the inputs here, I made the change but ran into another issue after that, after I punch in the creds(Username, Password), the OP doesn't redirect to the redirect URL instead it redirects back to /authorization endpoint. Some logs here
/home/adain/projects/pyoidc/env/lib64/python3.7/site-packages/oic/oauth2/provider.py:229: UserWarning: ClientDatabase should be an instance of oic.utils.clientdb.BaseClientDatabase to ensure proper API.
"ClientDatabase should be an instance of "
OC server started (iss=http://adain-dev-aps1.workspaces.corp.win.ia55.net:8041/, port=8041)
query=scope%3Dopenid%26state%3DuC3Ti1uGKhRpoFsr_IspYog4iTjh-nRDIlRCAXLQ9ds.FP-UFhNbWiA.account-console%26response_type%3Dcode%26client_id%3DMjvXaeRpvHXj%26redirect_uri%3Dhttps%253A%252F%252Fkeycloak-dev.ia55.net%252Frealms%252Fmaster%252Fbroker%252Foidc%252Fendpoint%26nonce%3Dg5tmrTzcijE1dDuisxBSbw&acr_values=&login=upper&password=crust&form.commit=Submitserver logs
2022-11-23 13:09:39,715 oicServer:INFO PATH: "authorization"
2022-11-23 13:09:39,716 oicServer:INFO callback: <bound method Application.authorization of <__main__.Application object at 0x7f9a5f41bc90>>
2022-11-23 13:09:39,716 oic.oauth2.provider:DEBUG Request: 'scope=openid&state=Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console&response_type=code&client_id=MjvXaeRpvHXj&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=H9fDerNh7fpkyEkfJdE2Tw'
2022-11-23 13:09:39,716 oic.oic:DEBUG Found 3 verify keys
2022-11-23 13:09:39,717 oic.oauth2.provider:DEBUG AuthzRequest: {'scope': 'openid', 'state': 'Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console', 'response_type': 'code', 'client_id': 'MjvXaeRpvHXj', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'nonce': 'H9fDerNh7fpkyEkfJdE2Tw'}
2022-11-23 13:09:39,719 oic.oic.provider:INFO authorization_request: {'scope': 'openid', 'state': 'Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console', 'response_type': 'code', 'client_id': 'MjvXaeRpvHXj', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'nonce': 'H9fDerNh7fpkyEkfJdE2Tw'}
2022-11-23 13:09:39,720 oic.oauth2.provider:INFO No active authentication
2022-11-23 13:09:39,720 oic.utils.authn.user:INFO do_authentication argv: {'password': '<REDACTED>', 'action': 'http://adain-dev-aps1.workspaces.corp.win.ia55.net:8041/verify', 'login': '', 'acr': '', 'policy_uri': '', 'logo_uri': '', 'tos_uri': '', 'query': 'scope=openid&state=Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console&response_type=code&client_id=MjvXaeRpvHXj&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=H9fDerNh7fpkyEkfJdE2Tw', 'title': 'User log in', 'login_title': 'Username', 'passwd_title': 'Password', 'submit_text': 'Submit', 'client_policy_title': 'Client Policy'}
2022-11-23 13:09:39,758 oicServer:INFO PATH: "css/main.css"
2022-11-23 13:09:39,758 oicServer:INFO callback: <bound method Application.css of <__main__.Application object at 0x7f9a5f41bc90>>
2022-11-23 13:09:56,461 oicServer:INFO PATH: "verify"
2022-11-23 13:09:56,461 oicServer:INFO callback: <function make_auth_verify.<locals>.auth_verify at 0x7f9a5fcae050>
2022-11-23 13:09:56,461 oic.utils.authn.user:DEBUG verify(query=scope%3Dopenid%26state%3DZm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console%26response_type%3Dcode%26client_id%3DMjvXaeRpvHXj%26redirect_uri%3Dhttps%253A%252F%252Fkeycloak-dev.ia55.net%252Frealms%252Fmaster%252Fbroker%252Foidc%252Fendpoint%26nonce%3DH9fDerNh7fpkyEkfJdE2Tw&acr_values=&login=upper&password=<REDACTED>&form.commit=Submit)
2022-11-23 13:09:56,462 oic.utils.authn.user:DEBUG dict: {'query': 'scope=openid&state=Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console&response_type=code&client_id=MjvXaeRpvHXj&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=H9fDerNh7fpkyEkfJdE2Tw', 'login': 'upper', 'password': '<REDACTED>', 'form.commit': 'Submit'}
2022-11-23 13:09:56,462 oic.utils.authn.user:DEBUG Password verification succeeded.
2022-11-23 13:09:56,464 oic.utils.authn.user:DEBUG kwargs: {'upm_answer': 'true', 'scope': ['openid'], 'state': ['Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console'], 'response_type': ['code'], 'client_id': ['MjvXaeRpvHXj'], 'redirect_uri': ['https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint'], 'nonce': ['H9fDerNh7fpkyEkfJdE2Tw']}
2022-11-23 13:09:56,481 oicServer:INFO PATH: "authorization"
2022-11-23 13:09:56,481 oicServer:INFO callback: <bound method Application.authorization of <__main__.Application object at 0x7f9a5f41bc90>>
2022-11-23 13:09:56,482 oic.oauth2.provider:DEBUG Request: 'upm_answer=true&scope=openid&state=Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console&response_type=code&client_id=MjvXaeRpvHXj&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=H9fDerNh7fpkyEkfJdE2Tw'
2022-11-23 13:09:56,482 oic.oic:DEBUG Found 3 verify keys
2022-11-23 13:09:56,484 oic.oauth2.provider:DEBUG AuthzRequest: {'upm_answer': 'true', 'scope': 'openid', 'state': 'Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console', 'response_type': 'code', 'client_id': 'MjvXaeRpvHXj', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'nonce': 'H9fDerNh7fpkyEkfJdE2Tw'}
2022-11-23 13:09:56,485 oic.oic.provider:INFO authorization_request: {'upm_answer': 'true', 'scope': 'openid', 'state': 'Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console', 'response_type': 'code', 'client_id': 'MjvXaeRpvHXj', 'redirect_uri': 'https://keycloak-dev.ia55.net/realms/master/broker/oidc/endpoint', 'nonce': 'H9fDerNh7fpkyEkfJdE2Tw'}
2022-11-23 13:09:56,487 oic.oauth2.provider:INFO No active authentication
2022-11-23 13:09:56,488 oic.utils.authn.user:INFO do_authentication argv: {'password': '<REDACTED>', 'action': 'http://adain-dev-aps1.workspaces.corp.win.ia55.net:8041/verify', 'login': '', 'acr': '', 'policy_uri': '', 'logo_uri': '', 'tos_uri': '', 'query': 'upm_answer=true&scope=openid&state=Zm1sOyQZt--7_aUzu2bHy8YhsG6bSDqo49uNAdZtmik.lB-_4004KEI.account-console&response_type=code&client_id=MjvXaeRpvHXj&redirect_uri=https%3A%2F%2Fkeycloak-dev.ia55.net%2Frealms%2Fmaster%2Fbroker%2Foidc%2Fendpoint&nonce=H9fDerNh7fpkyEkfJdE2Tw', 'title': 'User log in', 'login_title': 'Username', 'passwd_title': 'Password', 'submit_text': 'Submit', 'client_policy_title': 'Client Policy'}
2022-11-23 13:09:56,517 oicServer:INFO PATH: "css/main.css"
2022-11-23 13:09:56,517 oicServer:INFO callback: <bound method Application.css of <__main__.Application object at 0x7f9a5f41bc90>>Thanks
Hi folks, I am getting the following error:
I have configured Keycloak as my RP. Settings on Keycloak
I am using op2 under the examples as my op serverhttps://github.com/OpenIDC/pyoidc/tree/master/oidc_example/op2
Not sure why I am getting this error even though I have specified Client Secret Basic on Keycloak.
Any help here appreciated.
Also if someone can help me with examples where we verify the users based on the contents of the users is appreciated too.
Thanks