RolandGuijt
commented
2 months ago It looks like you're using authorization code flow. Using that, a code is sent to the browser with which the server application can get the token(s) using a backchannel request (a request without involving the browser). The log you're showing here is that backchannel request in which the client server application will, apart from the code, present its client id and secret. At this stage a user id is not involved, just the client credentials.
The client id is also sent when doing the initial authorization request (before logging in). At that stage the error should also surface, blocking the rest of the flow. What kind of client are you using? It is an ASP.NET Core server-side web application? (MVC or razor pages) or something else?
gjckis
I am using Duende 6.3.8 and some of my customers are sending in invalid client id in password flow request. I would like to identify the username in logs but I cannot see any information on the customer.
I am using serilog and set the log level to verbose and this is what I get in the identityserver: [10:50:11 DBG] Request path /connect/token matched to endpoint type Token [10:50:11 DBG] Endpoint enabled: Token, successfully created handler: Duende.IdentityServer.Endpoints.TokenEndpoint [10:50:11 INF] Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.TokenEndpoint for /connect/token [10:50:11 VRB] Processing token request. [10:50:11 DBG] Start token request. [10:50:11 DBG] Start client validation [10:50:11 DBG] Start parsing Basic Authentication secret [10:50:11 DBG] Parser found secret: BasicAuthenticationSecretParser [10:50:11 DBG] Secret id found: webapi [10:50:11 ERR] No client with id 'webapi' found. aborting [10:50:11 VRB] Invoking result: Duende.IdentityServer.Endpoints.Results.TokenErrorResult
Any idea on how to identity the username that is sending in invalid client id?