search

IdentityModel / IdentityModel.OidcClient.Old

OpenID Connect Client Library for Native Applications
Other
38 stars 17 forks source link

Help needed with an "invalid_grant" error #52

Closed pellea closed 7 years ago

pellea commented 7 years ago

Hello,

I need a little help about an error I'm facing with OidcClient inside a UWP application.

The OidcClient.LoginAsync returns a "invalid_grant" and I can't figure how to debug this.

This UwpWebView need an HTTPS url to works. Then I deployed the IdentityServer on Azure with SSL and it's working fine with a MVC client but not with the UWP client.

I use for AllowedGrantTypes the Hybrid type.

What can I check? What could caused this error?

As you noticed I tried to debug with the source code but I didn't get much more info.

Thanks, Adrien.

leastprivilege commented 7 years ago

turn on logging in identityserver.

pellea commented 7 years ago

I managed to get some log. It fails with this following error:

fail: IdentityServer4.Validation.TokenRequestValidator[0]
      Unexpected code_verifier: OOOOOOOOOOOOOOOOO
fail: IdentityServer4.Validation.TokenRequestValidator[0]
      {
        "ClientId": "mvc",
        "ClientName": "MVC Client",
        "GrantType": "authorization_code",
        "AuthorizationCode": "AAAAAAAAAAAAAAAAAAAAAAA",
        "Raw": {
          "grant_type": "authorization_code",
          "code": "AAAAAAAAAAAAAAAAAAAAAAA",
          "redirect_uri": "ms-app://s-1-XXXXXXXXXXX/",
          "code_verifier": "OOOOOOOOOOOOOOOOO"
        }
      }

I explicitly ask for a Hybrid type:

            var options = new OidcClientOptions(
                authority: "https://xxxxxxxx.com",
                clientId: "mvc",
                clientSecret: "secret",
                scope: "openid profile api1 offline_access",
                redirectUri: WebAuthenticationBroker.GetCurrentApplicationCallbackUri().AbsoluteUri,
                webView: webView);
            options.Style = OidcClientOptions.AuthenticationStyle.Hybrid;
            options.ValidateIssuerName = false;

            var client = new OidcClient(options);

Why it failed with a authorization_code?

leastprivilege commented 7 years ago

It looks like that the client is send the PKCE parameters - but PKCE is not enabled on the server side. That's a client setting.

Is this identityserver 3 or 4?

pellea commented 7 years ago

The server is IdentityServer 4.

leastprivilege commented 7 years ago

Then set RequirePkce on the client

pellea commented 7 years ago

Thank you! It's working!