Search code examples
oauthopenididentityserver3appauth

Authorization Code with Proof Key token request results in invalid client response

I'm currently evaluation AppAuth (https://appauth.io/) for use in a native mobile app together with a STS which currently uses IdentityServer3. I've configured a client like this:

new IdentityServer3.Core.Models.Client
{
    Enabled = true,
    ClientId = "app",
    ClientName = "app",
    ClientUri = "app:/",
    Flow = Flows.AuthorizationCodeWithProofKey,
    RequireConsent = false,
    RequireSignOutPrompt = false,
    SlidingRefreshTokenLifetime = 28800,
    AllowAccessTokensViaBrowser = true,

    RedirectUris = new List<string>
    {
        "app:/signin"
    },
    PostLogoutRedirectUris = new List<string>
    {
        "app:/signout"
    },
    AllowedScopes = new List<string>
    {
                StandardScopes.OpenId.Name.Name,
                StandardScopes.Email.Name.Name,
                StandardScopes.Profile.Name.Name,
                StandardScopes.Roles.Name.Name,
                StandardScopes.OfflineAccess.Name,
    }
}

The initial authorize request succeeds and IdentityServer3 returns an authorization code. Now I tried a subsequent token request, and this results in an HTTP 400 with an invalid_client error and the following messages in the IdentityServer3 log:

2018-04-17 10:16:38.324 +02:00 [Information] Start token request
2018-04-17 10:16:38.324 +02:00 [Debug] Start client validation
2018-04-17 10:16:38.324 +02:00 [Debug] Start parsing Basic Authentication secret
2018-04-17 10:16:38.324 +02:00 [Debug] Start parsing for secret in post body
2018-04-17 10:16:38.324 +02:00 [Debug] No secret in post body found
2018-04-17 10:16:38.324 +02:00 [Debug] Start parsing for X.509 certificate
2018-04-17 10:16:38.324 +02:00 [Debug] X.509 certificate not found.
2018-04-17 10:16:38.324 +02:00 [Information] Parser found no secret
2018-04-17 10:16:38.324 +02:00 [Information] No client secret found
2018-04-17 10:16:38.324 +02:00 [Information] End token request
2018-04-17 10:16:38.324 +02:00 [Information] Returning error: invalid_client

Do I understand something wrong or why doesn't IdentityServer3 return an access token?

Solution

  • You need to authenticate Client in token request for Authorization Code flow. So you need to set ClientSecrets for your client.

    new IdentityServer3.Core.Models.Client
{
    /// your properties

    ClientSecrets = new List<Secret>
    {
        new Secret("secret".Sha256())
    }
}

    And you need to send client_secret as a query string in your token request.

    Or you can use BasicAuthentication. In this case you need to add Base64(ClientId:ClientSecret) in authentication header.