Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/bcrypt: hashedPassword is not the hash of the given password #346

Closed
janekolszak opened this issue Jan 2, 2017 · 12 comments
Closed

crypto/bcrypt: hashedPassword is not the hash of the given password #346

janekolszak opened this issue Jan 2, 2017 · 12 comments

Comments

@janekolszak
Copy link

janekolszak commented Jan 2, 2017
edited
Loading

Hi!
I have a problem with using response_type=code in javascript library (https://www.npmjs.com/package/openid-client).

Hydra v0.7.2

Request:

https://hydra/oauth2/auth?redirect_uri=wta%3A%2F%2Fauth&scope=openid%20all&state=4bdbfa61-6fe1-48fc-8aff-df6d8a4f26db&nonce=62491adc-8003-4cea-bd38-79bca4bdda00&response_type=code&client_id=wta-d

Response:

wta://auth?code=77aXBnscm10Fipd_pfNlk3hLbP23izsj8QMnDqTUoqc.xfDyGRGGVaXqpBGZNISqowDqVcnFgnYohWPw6VBau0w&scope=openid%20all&state=4bdbfa61-6fe1-48fc-8aff-df6d8a4f26db

Logs from the library:

{ HTTPError: Response code 401 (Unauthorized)
    at stream.catch.then.e (node_modules/openid-client/node_modules/got/index.js:129:13)
    at process._tickCallback (internal/process/next_tick.js:103:7)
  message: 'Response code 401 (Unauthorized)',
  host: 'hydra',
  hostname: 'hydra',
  method: 'POST',
  path: '/oauth2/token',
  statusCode: 401,
  statusMessage: 'Unauthorized' }

Client:

{
  "scope": "openid all",
  "redirect_uris": [
    "wta://auth"
  ],
  "grant_types": [
    "implicit",
    "authorization_code",
    "refresh_token"
  ],
  "response_types": [
    "code",
    "token",
    "id_token"
  ]
}

Hydra's logs:

Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=info msg="started handling request" method=GET remote=89.72.196.109 request="/oauth2/auth?redirect_uri=wta%3A%2F%2Fauth&scope=openid%20all&state=4bdbfa61-6fe1-48fc-8aff-df6d8a4f26db&nonce=62491adc-8003-4cea-bd38-79bca4bdda00&response_type=code&client_id=wta-d&consent=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3dGEtZCIsImV4cCI6MTQ4MzM4NzE1OCwiaWF0IjoxNDgzMzg2OTE4LCJqdGkiOiJkYzljNGE0Ni1mY2UyLTQ2ODItODlmNS0xMDhjMzFkNjFiZmIiLCJzY3AiOlsib3BlbmlkIiwiYWxsIl0sInN1YiI6ImIzMjhjNDcyLTRmMTktNDBmNy1hODM5LWRiMGY3ZTkwYmMyMyJ9.Opyr4jwFY_-F622FC-GdfIp6_Jal8B_ld_HzGnuUNZMX1Ig3OMcRGD3wUXO8ICg50KhVO3BvIK6W19LVRJEWFzy4B-bdh1Dld6nfFtPwy-Ie59L4p7860YO-Fa9HdAERh62KrO9GFImHuCmq4Z5P1SvBpbQid3b145r2CLTe6z6K1E-gN_AuDBnwVrYngVOsO4gIuh5ZKNHTss2f16YK1S6sJwxalGHJy3pz3dlv4-lWXSUnK1IAKKfrwiAL3Mcb4CCN5ghweSMrncKDC4Llt9XhUU6pHHhln28QLiHrw_e2sON-kjgeDzE-Kkas6Av26W_No6ftRMMV88Xk9VUIM_wtWMfxY7Oo9RTauEYy8VNxJ0_V8TwW4ETfTTElRijbwQ0Ofaz4PpQBoli-53bwyHOsKQXbF6N_WOmHE70VHMhjao_H0ywunmmHA_U4xTq6Lhq1zrPYTPxsN3PSB104eD-oEp3VBALv77TWCKEPMs9hiD4Vhl3kOgID_keRzWgXLEuVsMq8dKwVVBmSMZtzoWa6Sdc6-dSuZrD0A4uIEu5NgTVZL9OeAjDrTe6GtkQDyu78vNI1Z9YtZc01W9If3qZArZTaSjhiu3eUEofxafS9iIFb3XXt2XnxIrEGcJoy3Ge_yV_h66RwdPCriu5165fUMTVNFrLbgEEn6OR90Ro"
Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=info msg="completed handling request" measure#web.latency=8159197 method=GET remote=89.72.196.109 request="/oauth2/auth?redirect_uri=wta%3A%2F%2Fauth&scope=openid%20all&state=4bdbfa61-6fe1-48fc-8aff-df6d8a4f26db&nonce=62491adc-8003-4cea-bd38-79bca4bdda00&response_type=code&client_id=wta-d&consent=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3dGEtZCIsImV4cCI6MTQ4MzM4NzE1OCwiaWF0IjoxNDgzMzg2OTE4LCJqdGkiOiJkYzljNGE0Ni1mY2UyLTQ2ODItODlmNS0xMDhjMzFkNjFiZmIiLCJzY3AiOlsib3BlbmlkIiwiYWxsIl0sInN1YiI6ImIzMjhjNDcyLTRmMTktNDBmNy1hODM5LWRiMGY3ZTkwYmMyMyJ9.Opyr4jwFY_-F622FC-GdfIp6_Jal8B_ld_HzGnuUNZMX1Ig3OMcRGD3wUXO8ICg50KhVO3BvIK6W19LVRJEWFzy4B-bdh1Dld6nfFtPwy-Ie59L4p7860YO-Fa9HdAERh62KrO9GFImHuCmq4Z5P1SvBpbQid3b145r2CLTe6z6K1E-gN_AuDBnwVrYngVOsO4gIuh5ZKNHTss2f16YK1S6sJwxalGHJy3pz3dlv4-lWXSUnK1IAKKfrwiAL3Mcb4CCN5ghweSMrncKDC4Llt9XhUU6pHHhln28QLiHrw_e2sON-kjgeDzE-Kkas6Av26W_No6ftRMMV88Xk9VUIM_wtWMfxY7Oo9RTauEYy8VNxJ0_V8TwW4ETfTTElRijbwQ0Ofaz4PpQBoli-53bwyHOsKQXbF6N_WOmHE70VHMhjao_H0ywunmmHA_U4xTq6Lhq1zrPYTPxsN3PSB104eD-oEp3VBALv77TWCKEPMs9hiD4Vhl3kOgID_keRzWgXLEuVsMq8dKwVVBmSMZtzoWa6Sdc6-dSuZrD0A4uIEu5NgTVZL9OeAjDrTe6GtkQDyu78vNI1Z9YtZc01W9If3qZArZTaSjhiu3eUEofxafS9iIFb3XXt2XnxIrEGcJoy3Ge_yV_h66RwdPCriu5165fUMTVNFrLbgEEn6OR90Ro" status=302 text_status=Found took=8.159197ms
Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=info msg="started handling request" method=POST remote=89.72.196.109 request="/oauth2/token"
Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=error msg="An error occurred" error="crypto/bcrypt: hashedPassword is not the hash of the given password: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)
crypto/bcrypt: hashedPassword is not the hash of the given password: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"
Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=debug msg="Stack trace: \ngithub.jparrowsec.cn/ory-am/hydra/vendor/github.com/ory-am/fosite.init\n\t/home/travis/gopath/src/github.com/ory-am/hydra/vendor/github.com/ory-am/fosite/errors.go:21\ngithub.jparrowsec.cn/ory-am/hydra/client.init\n\t/home/travis/gopath/src/github.com/ory-am/hydra/client/manager_sql.go:230\ngithub.jparrowsec.cn/ory-am/hydra/cmd/server.init\n\t/home/travis/gopath/src/github.com/ory-am/hydra/cmd/server/helper_keys.go:43\ngithub.jparrowsec.cn/ory-am/hydra/cmd.init\n\t/home/travis/gopath/src/github.com/ory-am/hydra/cmd/version.go:30\nmain.init\n\t/home/travis/gopath/src/github.com/ory-am/hydra/main.go:41\nruntime.main\n\t/home/travis/.gimme/versions/go1.7.linux.amd64/src/runtime/proc.go:172\nruntime.goexit\n\t/home/travis/.gimme/versions/go1.7.linux.amd64/src/runtime/asm_amd64.s:2086"
Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=info msg="completed handling request" measure#web.latency=83694026 method=POST remote=89.72.196.109 request="/oauth2/token" status=401 text_status=Unauthorized took=83.694026ms
@aeneasr
Copy link
Member

aeneasr commented Jan 2, 2017

Wrong password?

Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=error msg="An error occurred" error="crypto/bcrypt: hashedPassword is not the hash of the given password: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)
crypto/bcrypt: hashedPassword is not the hash of the given password: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"

@janekolszak
Copy link
Author

Client authentication failed but I can't see any client authenticating. This isn't the client credentials grant, it's the authorization code.

( and I'm 100% the user's password is typed ok )

@aeneasr
Copy link
Member

aeneasr commented Jan 2, 2017

Not the user's password, but the password of your oauth2 client. The auth_code requires a client secret when exchanging the auth code for a token. You can however set the public flag to true in your client, then the client won't need a secret for that flow!

@aeneasr
Copy link
Member

aeneasr commented Jan 2, 2017

I believe the public flag is simply appending "public": true to the JSON body when you're creating the client at POST http://hydra/clients or by doing hydra clients create /* ... */ --is-public

@janekolszak
Copy link
Author

The solution from gitter is to add "public":true to the client definition.

@OvermindDL1
Copy link

Any idea on how to add a "public":true to the client definition when the client is part of a remote website that is trying to auth to a local hydra server (do not that it works on other openid connect servers), or some override in hydra to imply "public":true?

@aeneasr
Copy link
Member

aeneasr commented Sep 6, 2018 via email

@OvermindDL1
Copy link

Check the docs, section advanced iirc.

I've been over those but I didn't find I way, I ended up mutating it on the nginx front-loader to get working.

Also, questions in chat or forum only please.

Ah very nice, where would those be located, what is the IRC room and on which IRC server? (I'm in console terminal 95% of my day so anything that works on the commandline is fine, I'm even using github right here and now from the commandline. :- ) )

@aeneasr
Copy link
Member

aeneasr commented Sep 6, 2018 via email

@OvermindDL1
Copy link

OvermindDL1 commented Sep 6, 2018
edited
Loading

It’s literally the first subsection in advanced:

Hmm, I didn't make the connection, I don't know OAuth2 well, I'm setting this up for someone else to allow their other services to access their Discourse forum as the login source so I'm learning on the way. I do apologize for the noise!

Links to relevant forums and chatrooms as well as rules for opening issues are written in the issue template, the one you deleted when you opened this issue.

Ah, I didn't open the issue so I never saw it, issue templates don't appear in the comment on an issue. :-)

EDIT: Checked the issue template, but the chat appears to redirect to a Discord thing, what is the IRC room for a bridge, or is there a commandline client for Discord that I'm unable to find on a cursory Google search? Brow.sh makes a decent command-line browser for most sites but Discord is a bit too much for it... >.>

@aeneasr
Copy link
Member

aeneasr commented Sep 6, 2018 via email

@algogrit
Copy link

In case anyone stumbles on this issue, as per the documentation, you would have to add the field "token_endpoint_auth_method": "none" to the client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@OvermindDL1 @algogrit @janekolszak @aeneasr