oauth2 device grant flow - reauthenticate problem

[jaceksocha]

Hi

We are investigating problem with reauthentication when using oauth2 device grant flow.

===============

How to reproduce:

oidc-agent version: 5.0.1

platform: Windows, Linux, macOS

our configuration:

oidc-gen <CONFIG_NAME> \ --issuer=https://login.microsoftonline.com/<TENANT>/v2.0 \ --flow=device \ --pub \ --client-id=<APP_ID> \ --client-secret= \ --redirect-url=http://localhost:2001 \ --confirm-default \ --scope=profile

steps: when launching reauthentication

oidc-gen <CONFIG_NAME> --reauthenticate Enter decryption password for account config '<CONFIG_NAME>': Generating account configuration ... accepted To continue and approve the registered client visit the following URL in a Browser of your choice: https://login.microsoftonline.com/****/oauth2/v2.0/authorize?response_type=code&client_id=****&redirect_uri=http%3A%2F%2Flocalhost%3A2001&scope=profile%20openid%20offline_access&prompt=consent&state=****&access_type=offline Polling oidc-agent to get the generated account configuration .................

browser has been launched in proper way, after grant, the redirect was to: http://localhost:2001/?code=****&state=****&session_state=****

and I get in browser error:

An error occurred during code exchange. Error: invalid_client: AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'. Trace ID: **** Correlation ID: **** Timestamp: 2024-01-14 20:42:53Z Please try calling oidc-gen with the following command: oidc-gen --codeExchange='http://localhost:2001?code=****

oidc-gen command stuck on: Polling oidc-agent to get the generated account configuration .................

Have you encountered such behavior ?

[zachmann]

There are two points to this:

• You used the device flow for generating the account config, however, the agent does not remember this and when doing the reauthentication it uses the authorization code flow. You can use the device flow with the reauthentication by telling the agent to do so: oidc-gen --reauthenticate --flow=device I would assume that this should fix the problem.
• On another page there is the error you get on the authorization code flow. You use a public client without a client secret, so we don't send a client secret in the code exchange request; however it seems like microsoft expects a secret in the request.

[jaceksocha]

Hi

Sorry for late response, in meantime we found reason of the problem. The problem was idp configuration on our site, oidc-agent works in proper way.

Greetings.