crspybits
commented
3 years ago The redirect screen is:
Open crspybits opened 3 years ago
crspybits
commented
3 years ago The redirect screen is:
crspybits
commented
3 years ago It seems pretty clear that the registration isn't working as intended. This is what I get back from https://solidcommunity.net:
2021-09-05T21:52:32-0600 debug : JSONString: dict: [AnyHashable("client_name"): "Neebla", AnyHashable("redirect_uris"): ["biz.SpasticMuffin.Neebla.demo:/mypath"], AnyHashable("response_types"): "code id_token", AnyHashable("token_endpoint_auth_method"): "client_secret_post", AnyHashable("application_type"): "native", AnyHashable("grant_types"): ["authorization_code"]]
2021-09-05T21:52:32-0600 debug : postBody: 231 bytes
2021-09-05T21:52:32-0600 debug : Headers: Optional(["Content-Type": "application/json"])
2021-09-05T21:52:32-0600 debug : URL Request: https://solidcommunity.net/register
2021-09-05T21:52:33-0600 debug : Got registration response:
=============
OIDRegistrationResponse
clientID: Optional("b58943520f434e9a9e0f34fe9dd5416e")
clientIDIssuedAt: Optional(2021-09-06 03:52:33 +0000)
clientSecret: Optional("19ba89...[redacted]")
clientSecretExpiresAt: Optional(2021-09-06 03:52:33 +0000)
registrationAccessToken: Optional("eyJhbG...[redacted]")
registrationClientURI: Optional(https://solidcommunity.net/register/b58943520f434e9a9e0f34fe9dd5416e)
additionalParameters: ["id_token_signed_response_alg": RS256, "application_type": native, "token_endpoint_auth_method": client_secret_post, "grant_types": <__NSSingleObjectArrayI 0x600001ee9010>(
authorization_code
)
, "response_types": code id_token, "client_name": Neebla, "redirect_uris": <__NSSingleObjectArrayI 0x600001ee9030>(
biz.SpasticMuffin.Neebla.demo:/mypath
)
]
=============
2021-09-05T21:52:33-0600 debug : requestURL: https://solidcommunity.net/authorize?nonce=neHnh3WmDUYoppLdMYfba4mT-LKNH9H03zYpxYLmN48&code_challenge=dMu_UVkl3Zr3hTBZwyJMyfrT0OZvPkgTwLX_Teb-BF0&state=OqHwOsifmD1wtq-_8szmpcyeMommqY3QRrrsAcYd2DQ&code_challenge_method=S256&client_id=b58943520f434e9a9e0f34fe9dd5416e&scope=profile%20openid%20webid%20offline_access&response_type=code%20id_token&redirect_uri=biz.SpasticMuffin.Neebla.demo:/mypathBut I should probably use https://trinpod.net as the issuer. However, that shows exactly the same blank screen and result:
2021-09-05T21:57:38-0600 debug : JSONString: dict: [AnyHashable("client_name"): "Neebla", AnyHashable("token_endpoint_auth_method"): "client_secret_post", AnyHashable("application_type"): "native", AnyHashable("redirect_uris"): ["biz.SpasticMuffin.Neebla.demo:/mypath"], AnyHashable("response_types"): "code id_token", AnyHashable("grant_types"): ["authorization_code"]]
2021-09-05T21:57:38-0600 debug : postBody: 231 bytes
2021-09-05T21:57:38-0600 debug : Headers: Optional(["Content-Type": "application/json"])
2021-09-05T21:57:38-0600 debug : URL Request: https://trinpod.us/register
2021-09-05T21:57:38-0600 debug : Got registration response:
=============
OIDRegistrationResponse
clientID: Optional("2A487882-5492-41F2-8DBE-55244B40E646")
clientIDIssuedAt: nil
clientSecret: nil
clientSecretExpiresAt: nil
registrationAccessToken: nil
registrationClientURI: nil
additionalParameters: ["redirect_uris": <__NSSingleObjectArrayI 0x6000029c8a20>(
biz.SpasticMuffin.Neebla.demo:/mypath
)
]
=============
2021-09-05T21:57:38-0600 debug : requestURL: https://trinpod.us/authorize?client_id=2A487882-5492-41F2-8DBE-55244B40E646&state=VdW8PSOkbRVeeDPM5hNbZD6wuAoq3bE8FeDFetPEXbs&scope=webid%20offline_access%20openid%20profile&nonce=pLB2p--nYA8PzAwUZOmuXQ_coEecgYO6sxXkZQxykVg&code_challenge=i-A3I0kKNGG_CUpyZ59MgHclroDFowkye99krusH5Sw&redirect_uri=biz.SpasticMuffin.Neebla.demo:/mypath&code_challenge_method=S256&response_type=code%20id_tokenI'm noticing that I'm using client_secret_post, but during discovery from the server:
\"token_endpoint_auth_methods_supported\":[\"client_secret_basic\"],I'm confused right now about where client_secret_basic vs client_secret_post ought to be used.
9. Client Authentication: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication suggests this is: when using the Token Endpoint
However, https://solid.github.io/solid-oidc/primer/#authorization-code-pkce-flow-step-14 suggests to use a DPoP token. These seem conflicting statements.
crspybits
commented
3 years ago I made some changes and am having pretty good success with the broker.pod.inrupt.com issuer. See https://github.com/crspybits/SolidAuthSwift/issues/3#issuecomment-917444824
However, these changes don't help with trinpod. I still get the same blank screen.
Taking an example from https://connect2id.com/products/server/docs/guides/client-registration, I'm beginning to think that trinpod just doesn't support dynamic registration:
curl -s -XPOST -H "Content-Type:application/json" \
-d '{"redirect_uris":["biz.SpasticMuffin.Neebla.demo:/mypath"]}' \
https://trinpod.us/registerRESULT:
{"client_id":"8A2782CD-5D1F-475D-B016-733AD193F455","redirect_uris":["biz.SpasticMuffin.Neebla.demo:\/mypath"]}
There is no client secret in the response as I'd expect. See also https://connect2id.com/products/server/docs/guides/client-registration
crspybits
commented
3 years ago I just tried this again. Getting the same result.
2021-10-16T20:26:56-0600 debug : JSONString: dict: [AnyHashable("grant_types"): ["refresh_token", "authorization_code"], AnyHashable("client_name"): "Neebla", AnyHashable("post_logout_redirect_uris"): ["biz.SpasticMuffin.Neebla.demo:/mypath"], AnyHashable("token_endpoint_auth_method"): "client_secret_basic", AnyHashable("application_type"): "native", AnyHashable("redirect_uris"): ["biz.SpasticMuffin.Neebla.demo:/mypath"], AnyHashable("response_types"): ["code"]] 2021-10-16T20:26:56-0600 debug : postBody: 312 bytes 2021-10-16T20:26:56-0600 debug : Headers: Optional(["Content-Type": "application/json"]) 2021-10-16T20:26:56-0600 debug : URL Request: https://trinpod.us/register 2021-10-16T20:26:57-0600 debug : Got registration response:
OIDRegistrationResponse clientID: Optional("5E732CDD-8C77-4265-87DD-997468704FDA") clientIDIssuedAt: nil clientSecret: nil clientSecretExpiresAt: nil registrationAccessToken: nil registrationClientURI: nil additionalParameters: ["redirect_uris": <__NSSingleObjectArrayI 0x600003d68960>( biz.SpasticMuffin.Neebla.demo:/mypath ) ]
dustmoo
commented
1 year ago Hey there @crspybits, happy new year. I've been experimenting with my own server and ran into this bug. I'm using the latest version of Community Solid Server. In my experimentation CSS is rejecting the client because the redirect_url is not "Secure".
The particular error I am seeing in Debug is: :/mypath#error=unauthorized_client&error_description=requested%20response_type%20is%20not%20allowed%20for%20this%20client
If I prepend an https:// to my redirect URL it clears up the response_type error but is not handled properly by the web view. (redirect error)
I'm still investigating but it appears that CSS, in a default state, is validating the redirect URL for security when id_token is included (which was the only token claim available in the default server I setup).
I'm still getting familiar with AppAuth and reviewing your sample libraries, but it seems that we either need to add internal app urls to the validation in CSS somehow, or approach this a different way. (I'm currently reviewing how AppAuth handles the redirect url).
If you have any thoughts please let me know!
Your public Solid POD URL will be: https://crspybits.trinpod.us Your public Solid WebID will be: https://crspybits.trinpod.us/i
I used https://crspybits.trinpod.us as the issuer.
My logs show: