logto-io / logto

🧑‍🚀 The better identity infrastructure for developers and the open-source alternative to Auth0.
https://logto.io
Mozilla Public License 2.0
9.01k stars 454 forks source link

bug: after changing application name getting: invalid_client #6180

Open phillipplum opened 5 months ago

phillipplum commented 5 months ago

Describe the bug

When you change the application name from: a to b I get no token and this error: invalid_client in callback.

Expected behavior

How to reproduce?

  1. Create application with name a
  2. Login and test -> everything is fine
  3. Change application name to b
  4. Login and test -> get error: invalid_client

Context

Error message audit log

{
  "key": "ExchangeTokenBy.AuthorizationCode",
  "result": "Error",
  "error": "{\"stack\":\"InvalidClientAuth: invalid_client\\n    at auth (file:///etc/logto/node_modules/.pnpm/oidc-provider@8.4.6/node_modules/oidc-provider/lib/shared/token_auth.js:177:17)\\n    at dispatch (/etc/logto/node_modules/.pnpm/koa-compose@4.1.0/node_modules/koa-compose/index.js:42:32)\\n    at loadClient (file:///etc/logto/node_modules/.pnpm/oidc-provider@8.4.6/node_modules/oidc-provider/lib/shared/token_auth.js:161:15)\\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\\n    at async setWWWAuthenticateHeader (file:///etc/logto/node_modules/.pnpm/oidc-provider@8.4.6/node_modules/oidc-provider/lib/shared/token_auth.js:52:11)\\n    at async selectiveBody (file:///etc/logto/node_modules/.pnpm/oidc-provider@8.4.6/node_modules/oidc-provider/lib/shared/selective_body.js:49:5)\\n    at async noCache (file:///etc/logto/node_modules/.pnpm/oidc-provider@8.4.6/node_modules/oidc-provider/lib/shared/no_cache.js:3:3)\\n    at async errorHandler (file:///etc/logto/node_modules/.pnpm/oidc-provider@8.4.6/node_modules/oidc-provider/lib/shared/error_handler.js:26:7)\\n    at async ensureSessionSave (file:///etc/logto/node_modules/.pnpm/oidc-provider@8.4.6/node_modules/oidc-provider/lib/helpers/initialize_app.js:52:7)\\n    at async contextEnsureOidc (file:///etc/logto/node_modules/.pnpm/oidc-provider@8.4.6/node_modules/oidc-provider/lib/shared/context_ensure_oidc.js:4:5)\\n    at async file:///etc/logto/node_modules/.pnpm/oidc-provider@8.4.6/node_modules/oidc-provider/lib/helpers/initialize_app.js:222:5\\n    at async errorHandler (file:///etc/logto/node_modules/.pnpm/oidc-provider@8.4.6/node_modules/oidc-provider/lib/shared/error_handler.js:26:7)\\n    at async file:///etc/logto/packages/core/build/middleware/koa-body-etag.js:11:9\\n    at async file:///etc/logto/packages/core/build/oidc/init.js:274:13\\n    at async file:///etc/logto/packages/core/build/middleware/koa-audit-log.js:98:13\\n    at async /etc/logto/node_modules/.pnpm/koa-mount@4.0.0/node_modules/koa-mount/index.js:58:5\",\"message\":\"invalid_client\",\"allow_redirect\":true,\"name\":\"InvalidClientAuth\",\"error\":\"invalid_client\",\"status\":401,\"statusCode\":401,\"expose\":true,\"error_description\":\"client authentication failed\",\"error_detail\":\"the provided authentication mechanism does not match the registered client authentication method\"}",
  "ip": "xxxxx",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36",
  "applicationId": "puxltrpej4aq1o4z5yudy",
  "params": {
    "code": "LWW44racvNqO9HI-6TaJHpIlj3f1t0SRtCXjilpnyYr",
    "client_id": "puxltrpej4aq1o4z5yudy",
    "grant_type": "authorization_code",
    "redirect_uri": "http://localhost:3000/auth/callback",
    "code_verifier": "YUb79NEFpuweX_1URg-6Qu497n5HloZJM62BFjT7oPqo7KgtTzOn-U2uyMI3GYtus1GPZzM3NFa7sied3cfN-g"
  },
  "tokenTypes": []
}
charIeszhao commented 5 months ago

I just tried and could not reproduce the same. When you change an application name, the ID would not be affected, and it shouldn't have caused this "invalid_client" error.

phillipplum commented 5 months ago

Yes, I also find it strange and that's why we've been looking for a mistake on our part the whole time (. The application was previously renamed and after we didn't know what to do, I created a new application and then it worked again. When I renamed this application, it stopped working again.

In the logs you can also see that the applicationId is the same client_id.

It's our self-hosted test instance, so if there's anything I can do to help with data, login, etc. I'm happy to do that.