Closed EmDee closed 4 years ago
You could improve your setup by using a random state for every request, PKCE also handles CSRF protection for you but i can't see at first glance that gitlab actually supports pkce. So please, use a random state
parameter.
Otherwise you're good and you should poke gitlab for an explanation of the error, the client is doing a conform request.
Thanks for the help.
Here is the related GitLab
issue as a reference: https://gitlab.com/gitlab-org/gitlab/-/issues/213643
A stupid guess, if they for whatever reason started forcing client_secret_basic
auth in january - try setting your client's token_endpoint_auth_method
to client_secret_basic
.
The client uses the standard client_secret_basic
by default.
Also, they mention includes an unsupported parameter value
and they don't seem to support PKCE (from looking at their openid-configuration endpoint), in which case - try not using it and use a random state
as i said before.
Needless to say, both behaviours are not conform. Every AS must support client_secret_basic
and all token_endpoint
implementations must ignore unrecognized parameters.
Problem
I am using
Gitlab.com
as oAuth provider. My setup has worked in the past, but in the past month or two I keep getting the following error from theopenid-client
:I traced the error back to a
401
response from the token endpoint. However, I'm unsure about the error description which states that I might be missing or sending wrong parameters.I want to verify that I'm using the client library correctly, before I escalate the issue towards
GitLab
.This is my implementation (stripped to the bare minimum):
And the complete output I'm getting:
I'm using the latest version of
openid-client
, i.e.3.14.1
.The implicit flow works btw. Any obvious mistakes here?