panva
commented
4 years ago @fcgdam
most likely a misunderstanding of my part
grant_type=client_credentials tokens are not access tokens related to an end-user, therefore - they can't be used at the userinfo endpoint to get any claims.
fcgdam
Hi, sorry if this is a basic question and probably not an issue with the OpenID client, most likely a misunderstanding of my part, anyway:
I'm doing some tests with OAuth and started with the Client Credentials flow. I'm using as the provider the openid-provider node library.
The issue is that I can request a token, introspect a token, but if I request the userinfo, it fails with an exception of token not found. I'm probably assuming if I request a token from the AS that was validated with the client credentials flow then I could ask what user the token is associated to, namely on the RS.
In this gist: https://gist.github.com/fcgdam/dd44fd32c6d98e9a66c75480f330bc49 is the example.
Everything works fine, except the request for the client.userinfo: The stack trace:
(node:420995) UnhandledPromiseRejectionWarning: OPError: invalid_token (invalid token provided) at throwAuthenticateErrors (/opt/oauth/client/oidc-client/node_modules/openid-client/lib/helpers/process_response.js:18:11) at processResponse (/opt/oauth/client/oidc-client/node_modules/openid-client/lib/helpers/process_response.js:35:7) at Client.userinfo (/opt/oauth/client/oidc-client/node_modules/openid-client/lib/client.js:964:18) at processTicksAndRejections (internal/process/task_queues.js:93:5) at async GetAccessToken (/opt/oauth/client/oidc-client/cc-test.js:36:22)On the server side:oidc-provider:introspection uid=uIbeTH_UoGezOI8Dd6snd by client=user1 token=ZO84W1cf-Ewq-GqTDVtSHgLQZFWrc4WZp60jJVBehzg response={ active: true, client_id: 'user1', exp: 1573211558, iat: 1573210958, sid: undefined, iss: undefined, jti: 'ZO84W1cf-Ewq-GqTDVtSHgLQZFWrc4WZp60jJVBehzg', aud: undefined, scope: 'openid profile', cnf: undefined, token_type: 'Bearer' } +2m POST /token/introspection 200 1.674 ms - 170 oidc-provider:bearer uid=Fp377dejn3qEbU1AfkLYW received access token via { header: 'Bearer ZO84W1cf-Ewq-GqTDVtSHgLQZFWrc4WZp60jJVBehzg' } +16m oidc-provider:error uid=Fp377dejn3qEbU1AfkLYW path=/me method=GET error={ error: 'invalid_token', error_description: 'invalid token provided' } detail=access token not found +16m GET /me 401 2.340 ms - 70Thanks for any help or tips.