[ldap example]Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:johndoe@example.com\"]

[leopku]

Preflight Checklist

• [X] I agree to follow the Code of Conduct that this project adheres to.
• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
• [X] I am not looking for support or already pursued the available support channels without success.

Version

2.32.0

Storage Type

SQLite

Installation Type

Binary

Expected Behavior

Success login via http://localhost:5555/

Actual Behavior

invalid_scope: Client can't request scope(s) ["audience:server:client_id:johndoe@example.com"]

Steps To Reproduce

1. docker-compose up -d
2. ./bin/dex serve examples/ldap/config-ldap.yaml
3. ./example-app
4. login via http://127.0.0.1:5555/

Additional Information

No response

Configuration

issuer: http://127.0.0.1:5556/dex
storage:
  type: sqlite3
  config:
    file: examples/dex.db
web:
  http: 0.0.0.0:5556

connectors:
- type: ldap
  name: OpenLDAP
  id: ldap
  config:
    # The following configurations seem to work with OpenLDAP:
    #
    # 1) Plain LDAP, without TLS:
    host: localhost:389
    insecureNoSSL: true
    #
    # 2) LDAPS without certificate validation:
    #host: localhost:636
    #insecureNoSSL: false
    #insecureSkipVerify: true
    #
    # 3) LDAPS with certificate validation:
    #host: YOUR-HOSTNAME:636
    #insecureNoSSL: false
    #insecureSkipVerify: false
    #rootCAData: 'CERT'
    # ...where CERT="$( base64 -w 0 your-cert.crt )"

    # This would normally be a read-only user.
    bindDN: cn=admin,dc=example,dc=org
    bindPW: admin

    usernamePrompt: Email Address

    userSearch:
      baseDN: ou=People,dc=example,dc=org
      filter: "(objectClass=person)"
      username: mail
      # "DN" (case sensitive) is a special attribute name. It indicates that
      # this value should be taken from the entity's DN not an attribute on
      # the entity.
      idAttr: DN
      emailAttr: mail
      nameAttr: cn

    groupSearch:
      baseDN: ou=Groups,dc=example,dc=org
      filter: "(objectClass=groupOfNames)"

      userMatchers:
        # A user is a member of a group when their DN matches
        # the value of a "member" attribute on the group entity.
      - userAttr: DN
        groupAttr: member

      # The group name should be the "cn" value.
      nameAttr: cn

staticClients:
- id: example-app
  redirectURIs:
  - 'http://127.0.0.1:5555/callback'
  name: 'Example App'
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0

Logs

time="2022-06-20T08:14:01Z" level=info msg="config issuer: http://127.0.0.1:5556/dex"
time="2022-06-20T08:14:01Z" level=info msg="config storage: sqlite3"
time="2022-06-20T08:14:01Z" level=info msg="config static client: Example App"
time="2022-06-20T08:14:01Z" level=info msg="config connector: ldap"
time="2022-06-20T08:14:01Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-06-20T08:14:01Z" level=info msg="listening (http) on 0.0.0.0:5556"
time="2022-06-20T08:14:22Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:janedoe@example.com\"]"
time="2022-06-20T08:15:30Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:janedoe@example.com\"]"
time="2022-06-20T08:16:03Z" level=error msg="Failed to parse authorization request: Unrecognized scope(s) [\"ou=Groups,dc=example,dc=org\"]"
time="2022-06-20T08:18:00Z" level=error msg="Failed to parse authorization request: Unrecognized scope(s) [\"groups,email\"]"
time="2022-06-20T08:19:42Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:cli-app\" \"audience:server:client_id:janedoe@example.com\"]"
time="2022-06-20T08:19:53Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:janedoe@example.com\"]"
time="2022-06-20T08:20:02Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:janedoe@example.com\"]"
time="2022-06-20T08:21:46Z" level=error msg="Failed to parse authorization request: Unrecognized scope(s) [\"groups,cn\"]"
time="2022-06-20T08:21:55Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:janedoe@example.com\"]"
time="2022-06-20T08:25:02Z" level=error msg="Failed to parse authorization request: Invalid client_id (\"\")."
time="2022-06-20T08:26:18Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:johndoe@example.com\"]"
time="2022-06-20T08:41:30Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:johndoe@example.com\"]"
time="2022-06-20T08:41:38Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:johndoe@example.com\"]"
time="2022-06-20T08:43:49Z" level=error msg="Failed to parse authorization request: Client can't request scope(s) [\"audience:server:client_id:johndoe@example.com\"]"

[nabokihms]

Hello, @leopku. It seems that the problem is related with the example app and how you send a request to the Dex. Provided errors show that requests are invalid.

1. Could you please elaborate more on which parameters you specified in the example app form?
2. We need to see you browser queries to Dex to debug further.

[leopku]

@nabokihms Thanks.

The example app was the original example app of dex with no changes.

[kastl-ars]

I have the same issue. I tried many different things on the example-app page:

• using janedoe@example.com with scope groups and connector ID ldap
• using janedoe@example.com with scope groups and no connector ID => I get to choose between "Log in with Email" and "Log in with OpenLDAP", neither of which works.
• using the admin@example.com user I created in the PasswordsDB, does not work with "Log in with Email" and "Log in with OpenLDAP" (the latter is not surprising)

(I am currently trying to put the whole example into docker-compose for testing, including building the example-app. Quite tricky, as the URLs need to be both reachable inside the container and in the Browser outside. But I doubt that this is the actual problem here, as I can get to the error message quite fine...)

[kastl-ars]

Hu, not entering any values in the example-app page leads me to dex, where I can select "Log in with OpenLDAP" and get user/password fields. And then I get an LDAP-related error, so I guess at least the example-app -> dex thingy works...

[kastl-ars]

OK, so I think the LDAP example needs some rephrasing, as everything seems to work, if you do not enter anything on the example-app page, but only click on the button. Then you can enter the credentials and login via LDAP.