Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client authentication failed due to password contains character "+" #1622

Closed
rickwang7712 opened this issue Oct 30, 2019 · 5 comments
Closed

Client authentication failed due to password contains character "+" #1622

rickwang7712 opened this issue Oct 30, 2019 · 5 comments

Comments

@rickwang7712
Copy link
Contributor

rickwang7712 commented Oct 30, 2019
edited
Loading

Describe the bug

A clear and concise description of what the bug is.
Setting string like "6eYJ+6eYJ" as client_secret will cause "Client Authentication failed".

Reproducing the bug

Steps to reproduce the behavior:

  1. docker-compose up with hydra & postgres:9.6
  2. Add oauth2 client to hydra by admin endpoint with config like:
    "client_id": "webportal",
    "client_secret": "6eYJ+6eYJ",
    "post_logout_redirect_uris": ["https://demo.dev.com"],
    "redirect_uris": ["https://demo.dev.com", "https://demo.dev.com/login"],
    "scope": "openid userinfo",
    "token_endpoint_auth_method": "client_secret_post",
    "response_types": ["code","id_token"],
    "grant_types": ["authorization_code"],
    "backchannel_logout_session_required": true,
    "backchannel_logout_uri": "https://demo.dev.com:8443/internal/v1/backchannel_logout"
  3. Request fails with response: {"some": "error"}

Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","status
_code":401}

{"level":"info","method":"POST","msg":"started handling request","remote":"168.0.0.1:14222","request":"/oauth2/token","time":"2019-10-30T06:52:42Z"}
{"debug":"crypto/bcrypt: hashedPassword is not the hash of the given password","description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","error":"invalid_client","level":"error","msg":"An error occurred","time":"2019-10-30T06:52:42Z"}
{"level":"debug","msg":"Stack trace: \ngithub.jparrowsec.cn/ory/fosite.(*Fosite).AuthenticateClient\n\t/go/pkg/mod/github.com/ory/[email protected]/client_authentication.go:204\ngithub.jparrowsec.cn/ory/fosite.(*Fosite).NewAccessRequest\n\t/go/pkg/mod/github.com/ory/[email protected]/access_request_handler.go:81\ngithub.jparrowsec.cn/ory/hydra/oauth2.(*Handler).TokenHandler\n\t/go/src/github.com/ory/hydra/oauth2/handler.go:548\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2007\ngithub.jparrowsec.cn/julienschmidt/httprouter.(*Router).Handler.func1\n\t/go/pkg/mod/github.com/julienschmidt/[email protected]/params_go17.go:26\ngithub.jparrowsec.cn/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:334\ngithub.jparrowsec.cn/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46\ngithub.jparrowsec.cn/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.jparrowsec.cn/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2007\ngithub.jparrowsec.cn/ory/hydra/x.RejectInsecureRequests.func1\n\t/go/src/github.com/ory/hydra/x/tls_termination.go:83\ngithub.jparrowsec.cn/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.jparrowsec.cn/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.jparrowsec.cn/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/metricsx/middleware.go:261\ngithub.jparrowsec.cn/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.jparrowsec.cn/ory/hydra/metrics/prometheus.(*MetricsManager).ServeHTTP\n\t/go/src/github.com/ory/hydra/metrics/prometheus/middleware.go:26\ngithub.jparrowsec.cn/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.jparrowsec.cn/meatballhat/negroni-logrus.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/meatballhat/[email protected]/middleware.go:136\ngithub.jparrowsec.cn/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.jparrowsec.cn/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:96\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2802\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1890\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1357","time":"2019-10-30T06:52:42Z"}

Server configuration

version: '3'

services:

  hydra-migrate:
    depends_on:
      - postgresd
    image: oryd/hydra:v1.0.8
    environment:
      - DSN=postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}/hydra?sslmode=disable
    command:
      migrate sql -e --yes
    restart: on-failure
  hydra:
    depends_on:
      - hydra-migrate
    image: oryd/hydra:v1.0.8
    volumes:
      - .:/config
    ports:
      - ${HYDRA_PUBLIC_PORT}:4444 # Public port
      - ${HYDRA_ADMIN_PORT}:4445 # Admin port
    command:
      serve all --config /config/config.yaml
    environment:
      - URLS_SELF_ISSUER=${HYDRA_URLS_SELF_ISSUER} # must set to public port
      - URLS_CONSENT=${HYDRA_URLS_CONSENT}
      - URLS_LOGIN=${HYDRA_URLS_LOGIN}
      - URLS_LOGOUT=${HYDRA_URLS_LOGOUT}
      - DSN=postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}/hydra?sslmode=disable
      - SECRETS_SYSTEM=${SECRETS_SYSTEM}
    restart: unless-stopped
  postgresd:
    image: postgres:9.6
    ports:
      - "5432:5432"
    environment:
      - POSTGRES_USER=${DB_USER}
      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - POSTGRES_DB=hydra

Expected behavior

The password should support any character which can be typed on the keyboard.

Environment

  • Version: v1.0.8+oryOS.12
    Git Hash: f60c724
    Build Time: 2019-10-04T07:10:20Z

  • Environment: Docker

Additional context
I also tried secret with character "/", which will pass the secret check instead.
If there is any restriction about cliect_secret, I think it should be described in the table below List OAuth 2.0 Clients.
@aeneasr
Copy link
Member

aeneasr commented Oct 30, 2019 via email

@rickwang7712
Copy link
Contributor Author

ahh...ok....
I found that I have to use '6eYJ%2B6eYJ' on client side if server set '6eYJ+6eYJ'.
Maybe it's because I use Postman in a wrong way? I use raw JSON to send body data('6eYJ+6eYJ').

Thank you for your reply.

You need to url-encode the secret/id

On 30. Oct 2019, at 07:59, rickwang7712 @.***> wrote:  Describe the bug A clear and concise description of what the bug is. Setting string like "6eYJ+6eYJ" will cause Client Authentication failed. related log: {"debug":"crypto/bcrypt: hashedPassword is not the hash of the given password","description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","error":"invalid_client","level":"error","msg":"An error occurred","time":"2019-10-30T06:34:05Z"} Reproducing the bug Steps to reproduce the behavior: Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)","status _code":401} Server configuration Expected behavior The password should support any character which can be typed on the keyboard. Environment Version: v1.0.8+oryOS.12 Git Hash: f60c724 Build Time: 2019-10-04T07:10:20Z Environment: Docker Additional context I also tried secret with character "/", which will pass the secret check instead. If there is any restriction about cliect_secret, I think it should be described in the table below List OAuth 2.0 Clients. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

@aeneasr
Copy link
Member

aeneasr commented Oct 30, 2019

Maybe it's because I use Postman in a wrong way? I use raw JSON to send body data('6eYJ+6eYJ').

Most likely, that's why we always encourage using standard libraries to interact with OAuth2 everywhere. It's simply the way HTTP Basic Authentication is defined in the context of OAuth2.

@aeneasr aeneasr closed this as completed Oct 30, 2019
@rickwang7712
Copy link
Contributor Author

rickwang7712 commented Oct 30, 2019
edited
Loading

Sorry to bother, I would like to clarify more things.

I was saying that I use Postman to send admin api for creating/updating client.
On the client side, I use golang/oauth2 library to send api to public endpoint.

Is there also a standard library or tool to interact with hydra’s admin endpoint?
Or should I not using golang/oauth2 library on the client side?

Thanks!

Maybe it's because I use Postman in a wrong way? I use raw JSON to send body data('6eYJ+6eYJ').

Most likely, that's why we always encourage using standard libraries to interact with OAuth2 everywhere. It's simply the way HTTP Basic Authentication is defined in the context of OAuth2.

@aeneasr
Copy link
Member

aeneasr commented Oct 30, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aeneasr @rickwang7712