I'm unable to get the authorization code when trying to authenticate an application with OpenIdDict

[LinneyDew]

Confirm you've already contributed to this project or that you sponsor it

• [X] I confirm I'm a sponsor or a contributor

Version

5.2.0

Question

I made an authorization server using OpenIdDict and it all seems to be working okay. It works when i call it using Postman, Swagger and www.oidcdebugger.com.

However, when I try to call it from my own application I can't seem to find the "code" which should be returned so I can then use it in the call the token exchange.

This is my first time using OpenIdDict and .NET Core so I'm not 100% exactly sure what I'm doing but everything seems to be working and I have a feeling I'm just missing something that should be obvious.

I also posted this question on Stack Overflow. https://stackoverflow.com/questions/78070848/im-unable-to-get-the-authorization-code-when-trying-to-authenticate-an-applicat

            var user = HttpContext.User?.Identity?.Name;
            using (var client = new HttpClient())
            {
                var authorizationToken = Convert.ToBase64String(Encoding.UTF8.GetBytes($"web-client:901564A5-E7FE-42CB-B10D-61EF6A8F3654"));

                client.DefaultRequestHeaders.Authorization = new("Basic", authorizationToken);
                client.DefaultRequestHeaders.Accept.Add(new("application/json")); // This might need to be adjusted, depending on your response format

                var urlAuthorize = new Uri("https://localhost:7000/connect/authorize");
                var paramAuthorize = new Dictionary<string, string>()
                {
                    {"client_id", "web-client"},
                    {"client_secret","901564A5-E7FE-42CB-B10D-61EF6A8F3654"},
                    {"response_type","code"},
                    {"grant_type","code"},
                    {"redirect_uri", "https://localhost:7002/swagger/oauth2-redirect.html"},
                    {"state", "VHVlIEZlYiAyNyAyMDI0IDA2OjUwOjUzIEdNVC0wNTAwIChFYXN0ZXJuIFN0YW5kYXJkIFRpbWUp"}
                };
                var encodedContentAuthorize = new FormUrlEncodedContent(paramAuthorize);
                var responseAuthorize = await client.PostAsync(urlAuthorize, encodedContentAuthorize).ConfigureAwait(false);

                responseAuthorize.EnsureSuccessStatusCode();

                return Ok();
            }

[kevinchalet]

Hi,

There are multiple issues with your snippet:

• You're sending both authorization request parameters (e.g response_type) and token request parameters (e.g client_secret or grant_type) as part of the same request to the authorization endpoint, which is completely invalid.
• You're using basic authentication against the authorization endpoint, which makes no sense.
• You're using multiple client authentication methods - i.e sending the secret via both the Authorization header and as part of the request form - which is illegal.

Consider using a real OAuth 2.0/OpenID Connect client stack instead of trying to implement that yourself. The OpenIddict client is an excellent choice for interactive flows like the code flow. You can find a lot of samples in the dedicated repo: https://github.com/openiddict/openiddict-samples

[kevinchalet]

Doing some housecleaning, but feel free to reopen if you need additional details 😃

[LinneyDew]

Kevin,

Thanks for checking back in. I meant to reply to you last week but I was up to my neck in alligators.

Unfortunately, my client wants to do some special processing so we need to partially roll our own solution.

I got my code working. My problem was due to me not understanding what was being returned. You’re response did help because it let me know that what I was doing was basically correct.

Thanks for your response and thanks for the OpenIDDict libraries. And thank you for your quick responses.

Best regards, Linney

From: Kévin Chalet @.> Sent: Friday, March 1, 2024 11:21 AM To: openiddict/openiddict-core @.> Cc: Linney Dew @.>; Author @.> Subject: Re: [openiddict/openiddict-core] I'm unable to get the authorization code when trying to authenticate an application with OpenIdDict (Issue #2013)

Doing some housecleaning, but feel free to reopen if you need additional details 😃

— Reply to this email directly, view it on GitHubhttps://github.com/openiddict/openiddict-core/issues/2013#issuecomment-1973480931, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALNOWT7Q2CTKECAVJUHUQQ3YWCTGPAVCNFSM6AAAAABD45ZEIOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZTGQ4DAOJTGE. You are receiving this because you authored the thread.Message ID: @.**@.>>

[kevinchalet]

Hey,

Thanks for checking back in. I meant to reply to you last week but I was up to my neck in alligators.

No worries 👍🏻

Unfortunately, my client wants to do some special processing so we need to partially roll our own solution.

The OpenIddict client has a very powerful events model that allows customizing each aspect of the request processing. Out of curiosity, can you tell me more about that special processing?

Thanks for your response and thanks for the OpenIDDict libraries. And thank you for your quick responses.

Thanks for your kind words.