Error while obtaining the service provider for client_id:

[dushaniw]

Describe the issue:

[2023-11-02 19:34:06,073] [136e328d-39ed-4d74-b2fb-9a4677e2651b] ERROR {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} - Error occurred while processing the request to validate the client authentication method. org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnException: Error while obtaining the service provider for client_id: admin@carbon.super
    at org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService.executeClientAuthenticators(OAuthClientAuthnService.java:190)
    at org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService.authenticateClient(OAuthClientAuthnService.java:75)
    at org.wso2.carbon.identity.oauth.client.authn.filter.OAuthClientAuthenticatorProxy.handleMessage(OAuthClientAuthenticatorProxy.java:80)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
    at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)

How to reproduce:

1. Create an oauth app
2. Generate keys
3. Obtain token in client_credentials grant
4. Invoke introspect endpoint with admin:admin basic auth credentials passing the access token in step3.
5. The introspection response is received but an error is getting printed in carbon logs as above.

Observed the same in the server logs while running integration test OAuth2ServiceClientCredentialTestCase

Expected behavior: An error log should not be printed.

Environment information (Please complete the following information; remove any unnecessary fields) :

• Product Version: [e.g., IS 5.10.0, IS 5.9.0]
• OS: [e.g., Windows, Linux, Mac]
• Database: [e.g., MySQL, H2]
• Userstore: [e.g., LDAP, JDBC]

---

Optional Fields

Related issues:

Suggested labels:

[dushaniw]

This is occurring for both application tokens and application user tokens (password grant)

[janakamarasena]

It seems the root cause is due to adding OAuthClientAuthenticatorProxy as an interceptor in [1]. As the interceptor is defined as an annotation in the required classes like [2], it is not required to add the interceptor in the cxf-servlet.xml

[1] - https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth.endpoint/src/main/webapp/WEB-INF/cxf-servlet.xml#L42 [2] - https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/token/OAuth2TokenEndpoint.java#L81

[ashanthamara]

As @janakamarasena mentioned in our current implementation, we are using OAuthClientAuthenticatorProxy for all the auth2 endpoint through the cxf-serverlet.xml and same proxy in the class level as an annotation for the classes which require that PRE_INVOKE interceptor to validate the authentication information.

But removing that global interceptor from[1] didn't resolve the issue, where the OAuthClientAuthenticatorProxy is keep getting invoked for the classes which do not have the @InInterceptor annotation.

This interceptor invoking mechanism is generated from the apache.cxf where it requires a thorough analysis to identify the ambiguous behaviour.

This can be solved by defining separate servers for the endpoints which requires Proxy authentication and add the OAuthClientAuthenticatorProxy interceptor only for those endpoints (such as /token, /revoke, /device_authorize, /ciba, /par). But this can lead to performance issues when utilizing the auth2 endpoints.

[1] - https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth.endpoint/src/main/webapp/WEB-INF/cxf-servlet.xml#L42