search

ory / hydra

The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.63k stars 1.5k forks source link

Client authentication failed due to password contains character "+" #1622

Closed rickwang7712 closed 5 years ago

rickwang7712 commented 5 years ago

Describe the bug

A clear and concise description of what the bug is. Setting string like "6eYJ+6eYJ" as client_secret will cause "Client Authentication failed".

Reproducing the bug

Steps to reproduce the behavior:

  1. docker-compose up with hydra & postgres:9.6
  2. Add oauth2 client to hydra by admin endpoint with config like: "client_id": "webportal", "client_secret": "6eYJ+6eYJ", "post_logout_redirect_uris": ["https://demo.dev.com"], "redirect_uris": ["https://demo.dev.com", "https://demo.dev.com/login"], "scope": "openid userinfo", "token_endpoint_auth_method": "client_secret_post", "response_types": ["code","id_token"], "grant_types": ["authorization_code"], "backchannel_logout_session_required": true, "backchannel_logout_uri": "https://demo.dev.com:8443/internal/v1/backchannel_logout"
  3. Request fails with response: {"some": "error"}

Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","status _code":401}

{"level":"info","method":"POST","msg":"started handling request","remote":"168.0.0.1:14222","request":"/oauth2/token","time":"2019-10-30T06:52:42Z"}
{"debug":"crypto/bcrypt: hashedPassword is not the hash of the given password","description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","error":"invalid_client","level":"error","msg":"An error occurred","time":"2019-10-30T06:52:42Z"}
{"level":"debug","msg":"Stack trace: \ngithub.com/ory/fosite.(*Fosite).AuthenticateClient\n\t/go/pkg/mod/github.com/ory/fosite@v0.30.0/client_authentication.go:204\ngithub.com/ory/fosite.(*Fosite).NewAccessRequest\n\t/go/pkg/mod/github.com/ory/fosite@v0.30.0/access_request_handler.go:81\ngithub.com/ory/hydra/oauth2.(*Handler).TokenHandler\n\t/go/src/github.com/ory/hydra/oauth2/handler.go:548\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2007\ngithub.com/julienschmidt/httprouter.(*Router).Handler.func1\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.2.0/params_go17.go:26\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.2.0/router.go:334\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2007\ngithub.com/ory/hydra/x.RejectInsecureRequests.func1\n\t/go/src/github.com/ory/hydra/x/tls_termination.go:83\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.73/metricsx/middleware.go:261\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/hydra/metrics/prometheus.(*MetricsManager).ServeHTTP\n\t/go/src/github.com/ory/hydra/metrics/prometheus/middleware.go:26\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/meatballhat/negroni-logrus.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/meatballhat/negroni-logrus@v0.0.0-20170801195057-31067281800f/middleware.go:136\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2802\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1890\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1357","time":"2019-10-30T06:52:42Z"}

Server configuration

version: '3'

services:

  hydra-migrate:
    depends_on:
      - postgresd
    image: oryd/hydra:v1.0.8
    environment:
      - DSN=postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}/hydra?sslmode=disable
    command:
      migrate sql -e --yes
    restart: on-failure
  hydra:
    depends_on:
      - hydra-migrate
    image: oryd/hydra:v1.0.8
    volumes:
      - .:/config
    ports:
      - ${HYDRA_PUBLIC_PORT}:4444 # Public port
      - ${HYDRA_ADMIN_PORT}:4445 # Admin port
    command:
      serve all --config /config/config.yaml
    environment:
      - URLS_SELF_ISSUER=${HYDRA_URLS_SELF_ISSUER} # must set to public port
      - URLS_CONSENT=${HYDRA_URLS_CONSENT}
      - URLS_LOGIN=${HYDRA_URLS_LOGIN}
      - URLS_LOGOUT=${HYDRA_URLS_LOGOUT}
      - DSN=postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}/hydra?sslmode=disable
      - SECRETS_SYSTEM=${SECRETS_SYSTEM}
    restart: unless-stopped
  postgresd:
    image: postgres:9.6
    ports:
      - "5432:5432"
    environment:
      - POSTGRES_USER=${DB_USER}
      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - POSTGRES_DB=hydra

Expected behavior

The password should support any character which can be typed on the keyboard.

Environment

Additional context I also tried secret with character "/", which will pass the secret check instead. If there is any restriction about cliect_secret, I think it should be described in the table below List OAuth 2.0 Clients.

aeneasr commented 5 years ago

You need to url-encode the secret/id

On 30. Oct 2019, at 07:59, rickwang7712 notifications@github.com wrote:  Describe the bug

A clear and concise description of what the bug is. Setting string like "6eYJ+6eYJ" will cause Client Authentication failed. related log: {"debug":"crypto/bcrypt: hashedPassword is not the hash of the given password","description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","error":"invalid_client","level":"error","msg":"An error occurred","time":"2019-10-30T06:34:05Z"}

Reproducing the bug

Steps to reproduce the behavior:

Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","status _code":401}

Server configuration

Expected behavior

The password should support any character which can be typed on the keyboard.

Environment

Version: v1.0.8+oryOS.12 Git Hash: f60c724 Build Time: 2019-10-04T07:10:20Z

Environment: Docker

Additional context I also tried secret with character "/", which will pass the secret check instead. If there is any restriction about cliect_secret, I think it should be described in the table below List OAuth 2.0 Clients.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

rickwang7712 commented 5 years ago

ahh...ok.... I found that I have to use '6eYJ%2B6eYJ' on client side if server set '6eYJ+6eYJ'. Maybe it's because I use Postman in a wrong way? I use raw JSON to send body data('6eYJ+6eYJ').

Thank you for your reply.

You need to url-encode the secret/id

On 30. Oct 2019, at 07:59, rickwang7712 @.***> wrote:  Describe the bug A clear and concise description of what the bug is. Setting string like "6eYJ+6eYJ" will cause Client Authentication failed. related log: {"debug":"crypto/bcrypt: hashedPassword is not the hash of the given password","description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","error":"invalid_client","level":"error","msg":"An error occurred","time":"2019-10-30T06:34:05Z"} Reproducing the bug Steps to reproduce the behavior: Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","status _code":401} Server configuration Expected behavior The password should support any character which can be typed on the keyboard. Environment Version: v1.0.8+oryOS.12 Git Hash: f60c724 Build Time: 2019-10-04T07:10:20Z Environment: Docker Additional context I also tried secret with character "/", which will pass the secret check instead. If there is any restriction about cliect_secret, I think it should be described in the table below List OAuth 2.0 Clients. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

aeneasr commented 5 years ago

Maybe it's because I use Postman in a wrong way? I use raw JSON to send body data('6eYJ+6eYJ').

Most likely, that's why we always encourage using standard libraries to interact with OAuth2 everywhere. It's simply the way HTTP Basic Authentication is defined in the context of OAuth2.

rickwang7712 commented 5 years ago

Sorry to bother, I would like to clarify more things.

I was saying that I use Postman to send admin api for creating/updating client. On the client side, I use golang/oauth2 library to send api to public endpoint.

Is there also a standard library or tool to interact with hydra’s admin endpoint? Or should I not using golang/oauth2 library on the client side?

Thanks!

Maybe it's because I use Postman in a wrong way? I use raw JSON to send body data('6eYJ+6eYJ').

Most likely, that's why we always encourage using standard libraries to interact with OAuth2 everywhere. It's simply the way HTTP Basic Authentication is defined in the context of OAuth2.

aeneasr commented 5 years ago

golang/oauth2 is a good choice for interacting with oauth2. so special client is needed for admin apis

On 30. Oct 2019, at 14:39, rickwang7712 notifications@github.com wrote:

 Sorry to bother, I would like to clarify more things.

I was saying that I use Postman to send admin api for creating/updating client. On the client side, I use golang/oauth2 library to send api to public endpoint.

Is there also a standard library or tool to interact with hydra’s admin endpoint? Or should I not using golang’s oauth2 library on the client side?

Thanks!

Maybe it's because I use Postman in a wrong way? I use raw JSON to send body data('6eYJ+6eYJ').

Most likely, that's why we always encourage using standard libraries to interact with OAuth2 everywhere. It's simply the way HTTP Basic Authentication is defined in the context of OAuth2.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe.