Skip to content

Authorization Code Grant / Access Token Request: Sending a "client_id" and a basic auth header causes an INVALID_CLIENT error #129

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jlaci opened this issue Oct 7, 2020 · 3 comments
Closed

Authorization Code Grant / Access Token Request: Sending a "client_id" and a basic auth header causes an INVALID_CLIENT error #129

jlaci opened this issue Oct 7, 2020 · 3 comments
Assignees
@jgrandja
Labels
status: invalid An issue that we don't feel is valid

Comments

@jlaci
Copy link

jlaci commented Oct 7, 2020

Describe the bug
The problem occurs in the Authorization Code Flow, when an authenticated client tries to exchange the auth code for an access token. If the client_id field in the request body is filled (along with the authorization header) it causes an INVALID_CLIENT error.

To Reproduce
Example client configuration:

		RegisteredClient frontendClient = RegisteredClient.withId("1138c5af-fd56-4a58-8c8f-769c2e327433")
				.clientId("my-awesome-client")
				.clientSecret("ca8831eb-e504-46f1-a514-8be84ba892ed")
				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
				.redirectUri("http://localhost:8080/swagger-ui/oauth2-redirect.html")
				.build();

Execute the flow normally:

  1. Initiate the login
  2. Submit the form
  3. Exchange the auth code with a basic auth header of the client_id and secret and the request body containing the following parameters:

grant_type: authorization_code
code: the auth code
redirect_uri: http://localhost:8080/swagger-ui/oauth2-redirect.html
client_id: my-awesome-client

Expected behavior
The specification (https://tools.ietf.org/html/rfc6749#section-4.1.3) states that the field is only required if the client is not authenticated otherwise, but does not states that sending it anyways for authenticated clients should cause an error.

Some tools like springfox/swagger-ui sends the client_id anyways, which causes problems when integrating them.
@jlaci jlaci added the type: bug A general bug label Oct 7, 2020
@lizhongyue248
Copy link

Please see #120.

@vincent-hsin
Copy link

vincent-hsin commented Oct 12, 2020
edited
Loading

Please pull latest commit. It seems like has solved in commit ab09044.

vincent-hsin added a commit to vincent-hsin/spring-authorization-server that referenced this issue Oct 12, 2020
@vincent-hsin
add unit test case for spring-projects#102, spring-projects#120 and s…
804753e 
…pring-projects#129
@jgrandja
Copy link
Collaborator

@jlaci

If the client_id field in the request body is filled (along with the authorization header) it causes an INVALID_CLIENT error

This is the expected behaviour. If the client credentials are included in the Authorization header and the client_id is also included in the body then this is an invalid request. The client should not attempt to authenticate itself using multiple authentication schemes. Only one authentication scheme should be used, otherwise the request will be rejected.

As @vincent-hsin mentioned, the commit ab09044 will ignore the client_id parameter if the client is authenticating using HTTP Basic.

@jgrandja jgrandja self-assigned this Oct 15, 2020
@jgrandja jgrandja added status: invalid An issue that we don't feel is valid and removed type: bug A general bug labels Oct 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jlaci @jgrandja @lizhongyue248 @vincent-hsin