Oidcc.create_redirect_url/4 returning "invalid_request" "Authentication failed."

[GPrimola]

oidcc version

3.2.4

Erlang version

27.1

Elixir version

1.17.3-otp-27

Summary

After creating a realm and a client, I keep getting

{:error,
 {:http_error, 401,
  %{
    "error" => "invalid_request",
    "error_description" => "Authentication failed."
  }}}

when running Oidcc.create_redirect_url(MyApp.OpenIdConfigurationProvider, "test1", client_secret, %{redirect_uri: "http://localhost:8080/oidc/callback"}).

The openid-configuration is being retrieved successfully.

OpenId Provider: Keycloak 22.0.5

Current behavior

Calling Oidcc.create_redirect_url/4 with a valid client yields:

{:error,
 {:http_error, 401,
  %{
    "error" => "invalid_request",
    "error_description" => "Authentication failed."
  }}}

How to reproduce

On Keycloak 22.0.5

1. Create a realm
2. Create a client with:
   • Client Authentication: On
   • Authorization: On
   • Authentication Flow: Standard, Implicit and Direct access grants (all checked)
3. Call Oidcc.create_redirect_url/4 with the client created will yield:

{:error,
 {:http_error, 401,
  %{
    "error" => "invalid_request",
    "error_description" => "Authentication failed."
  }}}

Expected behavior

Calling Oidcc.create_redirect_url/4 with a valid client:

{:ok, redirect_url} = Oidcc.create_redirect_url(MyApp.OpenIdConfigurationProvider, "test1", client_secret, %{redirect_uri: "http://localhost:8080/oidc/callback"})

[maennchen]

@GPrimola Thanks for the report.

Can you please put the full oidcc version into the description? THis makes it simpler to find the issue.

Given the specific error / location, I believe that this is happening when attempting to execute PAR

It looks like Keycloak is responding with 401 on that PAR request. That hints, that you have either provided the wrong credentials or configured something else wrong in Keycloak / oidcc.

oidcc supports the following auth methods for requests to the provider (ordered by priority):

• private_key_jwt - you would have to configure this, so not relevant here
• tls_client_auth - you would have to configure this, so not relevant here
• client_secret_jwt - depends on the provided client credentials; most likely used
• client_secret_post - depends on the provided client credentials
• client_secret_basic - depends on the provided client credentials
• none - If nothing else is available

If the error was a different 4XX error like Bad Reuest (400), it would be likely that this is a bug. A 401 however hints at a configuration error like an invalid client secret.

One issue I've seen with multiple identity providers is incorrect encoding of the client secret. Can you check if your secret contains special characters like / or spaces?

[maennchen]

@GPrimola The request contain the client assertion. That is a safer way of handling auth than just sending the secret.

oidcc should only use assertions instead of the secret if the provider signals support.

Can you send me the openid introspection? (You can redact the URLs, I’m interested in the authentication parts of it.)

[maennchen]

(FYI: The related RFC mentions exactly the described fields you observed: https://datatracker.ietf.org/doc/html/rfc9126#section-2.1)

[GPrimola]

Absolutely!

request:

eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJraWQiOiJnRUh0cXlBRFkzQm4weGlZX2pmQkVUZWtsVjJUVW5VcXR2X0hVYm1Tamk4In0.LH0iioHic7PtHrs6xmeAhTy_50cVERgD7o7YeGCDqCnFC4A3NBGX1WxdVowUtHKQOlEZGv0ptLiA9SysxErKwuqXLiOnsw522QGL_7u_6xV4J10aQSRa4c-p--QRP7zxPHkeOgqxpjsZ8qZEwCRU6hby_luKorI3EOgC7IL1_yWEb57MvZtt7qFuipfbVm54DXsTgxF02PKgXP7kfkcn-aOXdpqwY_sp3zQwBkB6p-poV0wqIMUdI0UZHtXuIlWDVB64RrKksiq9_vbDDE_jZpiN-y1fHtlfdvXzp3l97wketpHZniQ2-Zm51C57Y9romYQak51RWozfdBHwDGUWXA.8Ep6w1ltzRBuQ3y0.H8gc_b6jcxfouudh6S-5jwRHy2uFDJq1xnS9Ba5UQR2ED0vxjHVhrhohHT4dOOS5S7JBfJR8ogY5zANgpCXwZ3kef-XTLKiFfWvXlliAWgpFjqBQ8aJ0FcZbbX6R7C8SMe_oaoFLdeCG2h3AxdoxzCf9G-9HJK2uB0IZlvmguLGSW99QoxQfCpa04HyStfXXzjlOzQrqs37bYsDJoPOCpx_u7S_h4Su7KVhw1WINTrvySaN1UPsUooDD_ysQG5ChqESubRauFqcfmbtEDG5I2YqIHefSb3DIpkqIsVNBppcHrRDsg5AiS55cHuhK6aO_1mHc-_og0C7ofRqfknJTaId3gXFVHWFlb0uPabCSrNq-w5q6HrnFKq1N04Lbfg--fgJGOOU2B-KJOlTPF1Jw0BreM9iXrgaK2HOggONfcwEAi4Wvm76cHBYCEL9euLICjr7J7d-UMSaTFDYi0sD292tE984N-RY62iE0tFuMSLrRw79KzVLw7dLa0v3xpapBMsEGvcUSj7X6QwEbcmV3nyZvoA.dw4SeJJ1WFmOE1l28iN30w

client_assertion:

eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJodHRwOi8vMTkyLjE2OC42NC4xOjgwODAvcmVhbG1zL3JlYWxtX3Rlc3QiLCJleHAiOjE3MzAzMDM4MjgsImlhdCI6MTczMDMwMzc5OCwiaXNzIjoidGVzdDEiLCJqdGkiOiJXOFNqTk9rUW5hamNtbVBYVzU3NXZjLVZXYUZJMjI4RmpqZDhxTm1BZWpJIiwibmJmIjoxNzMwMzAzNzk4LCJzdWIiOiJ0ZXN0MSJ9.VPLsdMubn6IGzmAZWb9GWmqkt2bxYgpJUO8rhW53-C4

client_assertion_type:

urn:ietf:params:oauth:client-assertion-type:jwt-bearer

openid-configuration:

%Oidcc.ProviderConfiguration{
  issuer: "http://192.168.64.1:8080/realms/realm_test",
  authorization_endpoint: "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/auth",
  token_endpoint: "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/token",
  userinfo_endpoint: "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/userinfo",
  jwks_uri: "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/certs",
  registration_endpoint: "http://192.168.64.1:8080/realms/realm_test/clients-registrations/openid-connect",
  scopes_supported: ["openid", "address", "email", "phone", "microprofile-jwt",
   "web-origins", "acr", "offline_access", "profile", "roles"],
  response_types_supported: ["code", "none", "id_token", "token",
   "id_token token", "code id_token", "code token", "code id_token token"],
  response_modes_supported: ["query", "fragment", "form_post", "query.jwt",
   "fragment.jwt", "form_post.jwt", "jwt"],
  grant_types_supported: ["authorization_code", "implicit", "refresh_token",
   "password", "client_credentials",
   "urn:ietf:params:oauth:grant-type:device_code",
   "urn:openid:params:grant-type:ciba"],
  acr_values_supported: ["0", "1"],
  subject_types_supported: [:public, :pairwise],
  id_token_signing_alg_values_supported: ["PS384", "ES384", "RS384", "HS256",
   "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
  id_token_encryption_alg_values_supported: ["RSA-OAEP", "RSA-OAEP-256",
   "RSA1_5"],
  id_token_encryption_enc_values_supported: ["A256GCM", "A192GCM", "A128GCM",
   "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"],
  userinfo_signing_alg_values_supported: ["PS384", "ES384", "RS384", "HS256",
   "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512",
   "none"],
  userinfo_encryption_alg_values_supported: ["RSA-OAEP", "RSA-OAEP-256",
   "RSA1_5"],
  userinfo_encryption_enc_values_supported: ["A256GCM", "A192GCM", "A128GCM",
   "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"],
  request_object_signing_alg_values_supported: ["PS384", "ES384", "RS384",
   "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512",
   "RS512", "none"],
  request_object_encryption_alg_values_supported: ["RSA-OAEP", "RSA-OAEP-256",
   "RSA1_5"],
  request_object_encryption_enc_values_supported: ["A256GCM", "A192GCM",
   "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"],
  token_endpoint_auth_methods_supported: ["private_key_jwt",
   "client_secret_basic", "client_secret_post", "tls_client_auth",
   "client_secret_jwt"],
  token_endpoint_auth_signing_alg_values_supported: ["PS384", "ES384", "RS384",
   "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512",
   "RS512"],
  display_values_supported: :undefined,
  claim_types_supported: [:normal],
  claims_supported: ["aud", "sub", "iss", "auth_time", "name", "given_name",
   "family_name", "preferred_username", "email", "acr"],
  service_documentation: :undefined,
  claims_locales_supported: :undefined,
  ui_locales_supported: :undefined,
  claims_parameter_supported: true,
  request_parameter_supported: true,
  request_uri_parameter_supported: true,
  require_request_uri_registration: true,
  op_policy_uri: :undefined,
  op_tos_uri: :undefined,
  revocation_endpoint: "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/revoke",
  revocation_endpoint_auth_methods_supported: ["private_key_jwt",
   "client_secret_basic", "client_secret_post", "tls_client_auth",
   "client_secret_jwt"],
  revocation_endpoint_auth_signing_alg_values_supported: ["PS384", "ES384",
   "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256",
   "PS512", "RS512"],
  introspection_endpoint: "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/token/introspect",
  introspection_endpoint_auth_methods_supported: ["private_key_jwt",
   "client_secret_basic", "client_secret_post", "tls_client_auth",
   "client_secret_jwt"],
  introspection_endpoint_auth_signing_alg_values_supported: ["PS384", "ES384",
   "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256",
   "PS512", "RS512"],
  code_challenge_methods_supported: ["plain", "S256"],
  end_session_endpoint: "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/logout",
  require_pushed_authorization_requests: false,
  pushed_authorization_request_endpoint: "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/ext/par/request",
  authorization_signing_alg_values_supported: ["PS384", "ES384", "RS384",
   "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512",
   "RS512"],
  authorization_encryption_alg_values_supported: ["RSA-OAEP", "RSA-OAEP-256",
   "RSA1_5"],
  authorization_encryption_enc_values_supported: ["A256GCM", "A192GCM",
   "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"],
  authorization_response_iss_parameter_supported: false,
  dpop_signing_alg_values_supported: :undefined,
  require_signed_request_object: false,
  mtls_endpoint_aliases: %{
    "backchannel_authentication_endpoint" => "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/ext/ciba/auth",
    "device_authorization_endpoint" => "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/auth/device",
    "introspection_endpoint" => "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/token/introspect",
    "pushed_authorization_request_endpoint" => "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/ext/par/request",
    "registration_endpoint" => "http://192.168.64.1:8080/realms/realm_test/clients-registrations/openid-connect",
    "revocation_endpoint" => "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/revoke",
    "token_endpoint" => "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/token",
    "userinfo_endpoint" => "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/userinfo"
  },
  tls_client_certificate_bound_access_tokens: true,
  extra_fields: %{
    "backchannel_authentication_endpoint" => "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/ext/ciba/auth",
    "backchannel_authentication_request_signing_alg_values_supported" => ["PS384",
     "ES384", "RS384", "ES256", "RS256", "ES512", "PS256", "PS512", "RS512"],
    "backchannel_logout_session_supported" => true,
    "backchannel_logout_supported" => true,
    "backchannel_token_delivery_modes_supported" => ["poll", "ping"],
    "check_session_iframe" => "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/login-status-iframe.html",
    "device_authorization_endpoint" => "http://192.168.64.1:8080/realms/realm_test/protocol/openid-connect/auth/device",
    "frontchannel_logout_session_supported" => true,
    "frontchannel_logout_supported" => true
  }
}

[maennchen]

Based on this (can't check if the secret is correct, I'll just take your word for it), I believe Keycloak is not specification compliant.

https://www.ietf.org/archive/id/draft-ietf-oauth-par-03.html#name-pushed-authorization-reques

The rules for client authentication as defined in [RFC6749] for token endpoint requests, including the applicable authentication methods, apply for the pushed authorization request endpoint as well. If applicable, the token_endpoint_auth_method client metadata parameter indicates the registered authentication method for the client to use when making direct requests to the authorization server, including requests to the pushed authorization request endpoint.

The relevant configuration you provided includes client_secret_jwt:

  token_endpoint_auth_methods_supported: ["private_key_jwt",
   "client_secret_basic", "client_secret_post", "tls_client_auth",
   "client_secret_jwt"]

client_secret_jwt (https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication):

The authentication token MUST be sent as the value of the [OAuth.Assertions] client_assertion parameter.
The value of the [OAuth.Assertions] client_assertion_type parameter MUST be "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", per [OAuth.JWT].

Based on this, I would take the following steps:

• Report an Issue to Keycloak. client_secret_jwt must be supported by PAR if it is supported by the token endpoint.
• Implement a workaround:
  • You can use the provider_configuration_opts / quirks / document_overrides to change the introspection document
  • This will influence oidcc to behave differently
  • You can do any of those two:
    • Disable PAR by setting pushed_authorization_request_endpoint to null
    • Or change the token_endpoint_auth_methods_supported to not include client_secret_jwt (will fall back to the next best thing)
  • I personally would probably stick with client_secret_jwt and disable PAR until this is resolved

[GPrimola]

@maennchen thanks for the reply.

I can assure you the client_secret is 100% correct, as I've validated the pair client_id/secret with the /token endpoint successfully!

I tried to do the workaround you proposed, however:

1. When Disable PAR by setting pushed_authorization_request_endpoint to null I got this error on ProviderConfiguration.Worker startup:

11:45:23.058 [error] Child Oidcc.ProviderConfiguration.Worker of Supervisor Pls.Supervisor terminated
** (exit) {:configuration_load_failed, {:invalid_config_property, {:uri, :pushed_authorization_request_endpoint}}}
Pid: #PID<0.957.0>
Start Call: Oidcc.ProviderConfiguration.Worker.start_link(%{name: Pls.OpenIdConfigurationProvider, issuer: "http://192.168.64.1:8080/realms/realm_test", provider_configuration_opts: %{quirks: %{allow_unsafe_http: true, document_overrides: %{"pushed_authorization_request_endpoint" => nil}}}})

2. When I set pushed_authorization_request_endpoint to "" (empty string), I got this on Oidcc.create_redirect_url/4

{:error, {:no_scheme}}

[maennchen]

Oh, there’s no current value to override something to nil. In that case override the auth methods.

I shoud probably have a look at that though so that it is possible.