Shibboleth IDP with OIDC plugin says "Unrecognized client"
Closed this issue · 1 comments
Hi, A very simple Flask-pyoidc client here, connected to a Shibboleth OIDC Idp (Shibboleth with OIDC plugin).
The auth decorator works and redirect to the login page, but then, after login, we always get
Something went wrong with the authentication, please try to login again.
Is it related to this post
The problem was, in fact, that they weren't including the HTTP authentication header to do HTTP basic auth. They added this, and it fixed the problem. Those for the post endpoint information, though. That could come in handy in the future.
Thanks for your help. Have a nice day.
In the logs of Idp
2020-11-23 14:38:19,281 - 212.47.237.47 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:203] - Profile Action ValidateEndpointAuthentication: Unrecognized client authentication com.nimbusds.oauth2.sdk.auth.ClientSecretBasic@15d10d97 for client_secret_post
My code (I checked every var in capital letters)
pmd = ProviderMetadata(
issuer=app.config['OIDC_ISSUER'],
authorization_endpoint=app.config['OIDC_AUTH_URI'],
token_endpoint=app.config['OIDC_TOKEN_URI'],
userinfo_endpoint=app.config['OIDC_USERINFO_URI']
)
pc = ProviderConfiguration(
issuer=app.config['OIDC_ISSUER'],
# provider_metadata=pmd,
userinfo_http_method=app.config['OIDC_USERINFO_HTTP_METHOD'],
client_metadata=ClientMetadata(
client_id=app.config['OIDC_CLIENT_ID'],
client_secret=app.config['OIDC_CLIENT_SECRET']
),
auth_request_params={
'scope': app.config['OIDC_SCOPES']
}
)
auth = OIDCAuthentication({'default': pc}, app)Hello! 👋
From the IdP log message it looks like it's expecting client_secret_post authentication, while this extension defaults to using client_secret_basic (as per OIDC spec).
To fix this you should configure the client authentication method using token_endpoint_auth_method in the ClientMetadata:
ClientMetadata(<client id>, <client secret>, token_endpoint_auth_method='client_secret_post'))