Client Credentials Authenticators not compatible with Hydra?

[wesleyfantinel]

Describe the bug

I may be missing some configuration, but here is the deal...

I'm trying to use the client_credentials authenticator, calling hydra:444 token endpoint to validation.

But the problem is with the token_endpoint_auth_method, configured in the client. If i set it to client_secret_post, hydra logs will hint me to use the client_secret_basic instead. But if i do so, setting as client_secret_basic, oauthkeeper complains about it, requiring the client_secret_post.

Looks like oauthkeeper are working with two different methods for calling the token endpoint, with doesn't make any sense.

Reproducing the bug

Steps to reproduce the behavior:

1. Create a client with client_credentials grant types, with any scope, with token responses.
2. Setup a oauthkeeper rule with this authentication.
3. Make a request to the service using Authorization: Basic base64(id:secret)
4. Any client's token_endpoint_auth_method fails.

Server logs

level=error msg="An error occurred" description="Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)" error=invalid_client hint="The OAuth 2.0 Client supports client authentication method \"client_secret_post\", but method \"client_secret_basic\" was requested. You must configure the OAuth 2.0 client's \"token_endpoint_auth_method\" value to accept \"client_secret_basic\"."

level=warning msg="Access request denied" access_url="http://my-service:2222" error="oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"invalid_client\",\"error_description\":\"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)\",\"error_hint\":\"The OAuth 2.0 Client supports client authentication method \\\"client_secret_basic\\\", but method \\\"client_secret_post\\\" was requested. You must configure the OAuth 2.0 client's \\\"token_endpoint_auth_method\\\" value to accept \\\"client_secret_post\\\".\",\"status_code\":401}:

Server configuration

{
  "authenticators": [{
    "handler": "oauth2_client_credentials",
    "config": {
      "required_scope": [
        "dialogs"
      ]
    }
  }]
}

Expected behavior

It should make the authentication normally.

Environment

• Version: vv0.18.0-beta.1
• Environment: Kubernetes

[aeneasr]

Thank you! Would you be able to provide trace details as well? You can do this by setting log.level to trace or env var LOG_LEVEL=trace. That would be super helpful!

[aeneasr]

I think you've hit a Go regression issue. Some time ago they added the ability to auto-detect if the client should send the secrets in the header or in the body. For that, the client basically retries first with header (I think) and then caches the result and tries the body next. So in your case, you're trying the request with the header which is denied. Then, the go oauth2 library caches that, you set the right settings, but due to the cache it tries again with sending it in the body.

I think this could be fixed by adding AuthStyle: oauth2.AuthStyleInHeader, here.

I also believe that if set up correctly right from the start, this issue does not occur which is why tests did not catch this.

Could you maybe try the provided code change to see if this resolves your issue?

[aeneasr]

#267

[wesleyfantinel]

That's right, thanks man. I appreciate your quick effort..

[aeneasr]

Just to clarify, the issue was resolved with my findings? In that case I will go ahead and merge the PR.

[wesleyfantinel]

Sorry the late, I had to set up the environment.

I do confirm that it is fixed.

Thanks.