Identity Server 3 compatibility test

[tienw]

Hi All,

Thanks for guiding me in my previous post, I am able to configure it successfully and run this package on React Native. Here is the new issue I am facing

After I click the sign in button, the identity server login page pop up in webview, but it shows ""The client application is not known or is not authorized" so I copy to url and paste into the browser to see if all the query parameter are correct. Then I found that the "response type" is "code", once I switch to "token code", it works. But how can I do it in this module. I try to go through the document here but I could not find any way to change the response type. Any suggestion?

Thank you in advance.

[kadikraman]

AppAuth only supports the code response type and there is no plans to support hybrid flows.

Hybrid (and implicit) negate the PKCE protection required by RFC 8252 so it's generally not recommended for native apps.

Relevant discussion: openid/AppAuth-iOS#98

So I think this can probably be fixed with configuring the IdentityServer client and changing the Flow. Possibly AuthorizationCode or AuthorizationCodeWithProofKey (which I think is the flow that supports PKCE)?

[sattaman]

I'm also wondering if ID Server 3 is supported. Using ID server 3, I've got it redirecting back to the app , but getting

authorize error Error: invalid_client

with the following in the logs

2018-01-31 15:23:37.0259 Info Authorize request validation success
{
"ClientId": "stg-myapp",
"ClientName": "Staging myapp API",
"RedirectUri": "com.myapp:/oauthredirect",
"AllowedRedirectUris": [
"com.myapp:/oauthredirect"
],
"SubjectId": "10159153140850220",
"ResponseType": "code",
"ResponseMode": "query",
"Flow": "AuthorizationCode",
"RequestedScopes": "openid offline_access",
"State": "TarsXZ2D2a6uN4fa49lDX-jz0EdacfnNwfEETtCE87s",
"SessionId": "ad5ed3168b437f3ba40cf442a63abaa8",
"Raw": {
"response_type": "code",
"code_challenge_method": "S256",
"scope": "openid offline_access",
"code_challenge": "ux9pt0-2R8GhvRU5FFS0JF6qBqxuLGlsOO25Mj5HybA",
"redirect_uri": "com.myapp:/oauthredirect",
"client_id": "stg-myapp",
"state": "TarsXZ2D2a6uN4fa49lDX-jz0EdacfnNwfEETtCE87s"
}
} Thread= Session= App= Org= User=

2018-01-31 15:23:37.0415 Info Creating Authorization Code Flow response. Thread= Session= App= Org= User=

2018-01-31 15:23:37.0415 Info End authorize request Thread= Session= App= Org= User=

2018-01-31 15:23:37.0572 Info Redirecting to: com.myapp:/oauthredirect Thread= Session= App= Org= User=

2018-01-31 15:23:37.0884 Info Start token request Thread= Session= App= Org= User=

2018-01-31 15:23:37.1197 Info Parser found no secret Thread= Session= App= Org= User=

2018-01-31 15:23:37.1197 Info No client secret found Thread= Session= App= Org= User=

2018-01-31 15:23:37.1197 Info End token request Thread= Session= App= Org= User=

2018-01-31 15:23:37.1197 Info Returning error: invalid_client Thread= Session= App= Org= User=

I have tried with Authorization Code and just now AuthorizationCodeWithProofKey flows.

I noticed that when signing out on ID server 4 it sends the client id on revoke, and was wondering whether ID Server 3 could have additional quirks?

With ID Server 4 it works fine. I'm very interested if you are able to get it working with ID Server 3.

[kadikraman]

@sattaman are you testing on iOS or Android?

[sattaman]

@kadikraman iOS currently

[tienw]

so here is the update after some tries.

I changed the response type to "AuthorizationCode" on Id3 configuration and finally I can see the login page that provided by the Id3 after login button clicked. However, when I entered the username and password and clicked login, the first click does not do anything, I have to click on it second time and it showed the following error message:

"There is an error determining which application you are signing into. Return to the application and try again". It looks like the Id3 does not recongize the returnUrl I passed over.

I know this is not directly a issue with this module but any help would be appreciate.

Here is my settings

appAuth = new AppAuth({
issuer: 'https://auth.****.com',
clientId: 'mobile',
redirectUrl: 'com.****:/oauthredirect'
});

also have the redirectUris : com.****:/oauthredirect in the Id3 configuration

Let me know if I am doing anything wrong here. Thanks

[sattaman]

I've created a ID Server 3 demo deployment https://site20180207034230.azurewebsites.net/ and still getting the same error authorize error Error: invalid_client

Where ID Server is configured as follows

public class Clients
    {
        public static List<Client> Get()
        {
            return new List<Client>
            {
                new Client
                {
                    ClientName = "Native Client (Code Flow with PKCE)",
                    ClientId = "native.code",

                    Flow = Flows.AuthorizationCodeWithProofKey,
                    RedirectUris = new List<string>
                    {
                        "com.myapp:/oauthredirect",
                    },

                    ClientSecrets = new List<Secret>
                    {
                        new Secret("secret".Sha256())
                    },

                    AllowAccessToAllScopes = true
                }
         
            };
        }
    }

Using

const auth = new AppAuth({
     issuer: ’https://site20180207034230.azurewebsites.net',
     clientId: ‘native.code’
});

const scopes = [‘openid’, ‘offline_access’];

auth.authorize(scopes)

Where the redirect is com.myapp:/oauthredirect

Feel free to test against the above , I'll leave it up for the next couple of weeks.

[brockallen]

Check the IdentityServer logs to understand why you're getting the invalid client error. There must be some misconfiguration.

[kadikraman]

@sattaman thanks so much for setting up the Azure website. I tried to run one of the IS3 demos locally before, but I'm not an .net pro and on a Mac so it was pretty tricky so this is much appreciated 👍

I can reproduce your error on both iOS and Android and the error is happening when trying to exchange the code for a JWT.

According to the spec, invalid_client means

Client authentication failed (e.g., unknown client, no
client authentication included, or unsupported
authentication method).  The authorization server MAY
return an HTTP 401 (Unauthorized) status code to indicate
which HTTP authentication schemes are supported.  If the
client attempted to authenticate via the "Authorization"
request header field, the authorization server MUST
respond with an HTTP 401 (Unauthorized) status code and
include the "WWW-Authenticate" response header field
matching the authentication scheme used by the client. 

Are the error logs you posted from above still valid?

2018-01-31 15:23:37.0884 Info Start token request Thread= Session= App= Org= User=
2018-01-31 15:23:37.1197 Info Parser found no secret Thread= Session= App= Org= User=
2018-01-31 15:23:37.1197 Info No client secret found Thread= Session= App= Org= User=
2018-01-31 15:23:37.1197 Info End token request Thread= Session= App= Org= User=
2018-01-31 15:23:37.1197 Info Returning error: invalid_client Thread= Session= App= Org= User=

[tienw]

@sattaman

after I swtich from AuthorizationCodeWithProofKey to AuthorizationCode in id3 configuration

The invalid client error goes away. But now i am having issue return token to mobile app after signing in...

[sattaman]

These are the logs from Azure using the out the box set up

Showing consent screen
Start token request
Start parsing Basic Authentication secret
Creating Authorization Code Flow response.
Start authorize request protocol validation
X.509 certificate not found.
Adding client "native.code" to client list cookie for subject "88421113"
Resuming from consent, restarting validation
No secret in post body found
Authorize request validation success
{
  "ClientId": "native.code",
  "ClientName": "Native Client (Code Flow with PKCE)",
  "RedirectUri": "com.myapp:/oauthredirect",
  "AllowedRedirectUris": [
    "com.myapp:/oauthredirect"
  ],
  "SubjectId": "88421113",
  "ResponseType": "code",
  "ResponseMode": "query",
  "Flow": "AuthorizationCodeWithProofKey",
  "RequestedScopes": "openid offline_access",
  "State": "cplNgFr-77LyHqqClDLFOLkx_kRSn3b00E27bEYw95w",
  "SessionId": "18b60951e585241650e644115ac33124",
  "CodeChallengeMethod": "S256",
  "Raw": {
    "response_type": "code",
    "code_challenge_method": "S256",
    "scope": "openid offline_access",
    "code_challenge": "RwPYiNZQF7OmmV9v7YGU6ZtoNNEWqIzy3_vOCF3DRtU",
    "redirect_uri": "com.myapp:/oauthredirect",
    "client_id": "native.code",
    "state": "cplNgFr-77LyHqqClDLFOLkx_kRSn3b00E27bEYw95w"
  }
}
Redirecting to: com.myapp:/oauthredirect
Start parsing for X.509 certificate
Start parsing for secret in post body
Start client validation
No client secret found
Returning error: invalid_client
Parser found no secret
End token request

There is a client for using AuthorizationCode on the demo id server instance, with client id 'code' I've tried it and getting the same error with that too. Logs for that here: https://pastebin.com/nSCmCJPj

[kadikraman]

Oh, interesting, so clearly it's not getting the client secret. Just looking at the IS4 example setup for the parent library and they have set

RequireClientSecret = false

Is there a way to do the same on IS3 perhaps?

[sattaman]

Nice spot. I've found the following PR IdentityServer/IdentityServer3#3653

[kadikraman]

Looks like it never got merged 😢

It certainly makes sense now. We never implemented the auth request with client secrets, because IS4 and Google (the services we authenticated against) don't require them and you can't really hide secrets in a mobile app anyway as they have to be shipped with the bundle so it's not really "secret".

The parent libraries do provide that option though, e.g. here so we could certainly wrap it.

[sattaman]

Also this IdentityServer/IdentityServer3#2688

Yes. IdentityServer simply always requires a client secret. Google works the same way, IIRC.

When I code native clients I use the value "not_a_secret" for the secret.

Ok sounds good :)

[kadikraman]

@tienw @sattaman we've just published a new version v2.2.0 that will allow optionally passing in a client secret and thus will support IdentityServer 3.

We tested it against the example you uploaded @sattaman and it works. Instructions here. Thanks so much for you help on this 😊