Can't access to an application through Oauth flow

[CristinaVTx]

I'm following the Fiware security tutorials and I'm currently trying to deploy the entire architecture from scratch. I have my own administrator user, I have created a new user, an application and I have associated them through a role and a permission. If I list the users in the application and the permissions they have associated with it, I receive a correct answer.

The problem is that I can't get them to log in using Oauth to consume the application resources. I get the authorization code through the clientID and client Secret, and I make the request that appears in the postman collection, but it gives me back this answer:

"error": "invalid_client"

Is it possible that I'm missing a step?

Thank you in advance.

[jason-fox]

I make the request that appears in the postman collection, but it gives me back this answer:

"error": "invalid_client"

Is it possible that I'm missing a step?

The error you are getting is defined by the OAuth2 node library - it rather unhelpfully says there is something wrong with your request, but you wouldn't expect a security component to leak any extra (useful) information.

My (pure) guess is that your header information is incorrect. Could you post the full request e.g. as a curl command or JavaScript code or something to work out what is wrong.

Without the full list of calls this will be impossible to work out.

[CristinaVTx]

Sorry for the few details of the previous question.
The summarized sequence is as follows:

First, I create an application and I receive this answer:

{ "application": { "id": "3f41855e-be0c-4924-b13a-d84f33994798", "secret": "4fb64c1f-be1f-4e09-883f-85961fe96514", "image": "default", "jwt_secret": null, "name": "Testing", "description": "This application is for testing", "redirect_uri": "http://testing/login", "url": "http://testing" "grant_type": "password,authorization_code,implicit", "token_types": "permanent,bearer", "response_type": "code,token" } }
I get the id and secret keys and I execute echo id:secret | base64 to get the access token.

Finally, I try to log in through Oauth with a non-administrator user, but with permissions in the application by making this request:

curl -iX POST http://localhost:3005/oauth2/token -H 'Accept: application/json' -H 'Authorization: Basic M2Y0MTg1NWUtYmUwYy00OTI0LWIxM2EtZDg0ZjMzOTk0Nzk4OjRmYjY0YzFmLWJlMWYjUxNAo=' -H 'Content-Type: application/x-www-form-urlencoded' --data "username=prueba@test.com&password=test&grant_type=password"

[jason-fox]

@CristinaVTx - could you add the Keyrock log as well by running a terminal with the Docker logs command. see: https://docs.docker.com/config/containers/logging/

Every bit of info will help. 😄

[CristinaVTx]

I hope this will help:
Thu, 21 Feb 2019 09:11:02 GMT idm:oauth_controller --> token Thu, 21 Feb 2019 09:11:02 GMT idm:oauth_controller Error invalid_client: [object Object] POST /oauth2/token 400 3.053 ms - 26

[CristinaVTx]

I put exactly the settings and the steps I followed to get to this point.

docker-compose.yml:

version: "3.1"
services:
  keyrock:
    image: fiware/idm:7.5.1
    container_name: fiware-keyrock
    hostname: keyrock
    networks:
      default:
        ipv4_address: 172.18.1.5
    depends_on:
      - mysql-db
    ports:
      - "3005:3005"
      - "3443:3443"
    environment:
      - DEBUG=idm:*
      - DATABASE_HOST=mysql-db
      - IDM_DB_PASS_FILE=/run/secrets/my_secret_data
      - IDM_DB_USER=root
      - IDM_HOST=http://192.168.1.58:3005
      - IDM_PORT=3005
      - IDM_HTTPS_ENABLED=${IDM_HTTPS_ENABLED}
      - IDM_HTTPS_PORT=3443
      - IDM_ADMIN_USER=admin
      - IDM_ADMIN_EMAIL=admin@test.com
      - IDM_ADMIN_PASS=test
    secrets:
      - my_secret_data
    healthcheck:
      test: curl --fail -s http://localhost:3005/version || exit 1

  mysql-db:
    restart: always
    image: mysql:5.7
    hostname: mysql-db
    container_name: db-mysql
    expose:
      - "3306"
    ports:
      - "3306:3306"
    networks:
      default:
        ipv4_address: 172.18.1.6
    environment:
      - "MYSQL_ROOT_PASSWORD_FILE=/run/secrets/my_secret_data"
      - "MYSQL_ROOT_HOST=172.18.1.5"
    volumes:
      - mysql-db:/var/lib/mysql
      - ./mysql-data:/docker-entrypoint-initdb.d/:ro
    secrets:
      - my_secret_data

networks:
  default:
    ipam:
      config:
        - subnet: 172.18.1.0/24
volumes:
  mysql-db: ~

secrets:
  my_secret_data:
    file: ./secrets.txt

1. I login with the admin user and get the X-Auth-Token, then I create a user:

curl -X POST \
  http://localhost:3005/v1/users \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-token: 63e70d08-e302-44f3-9df1-a6edce24b4bc' \
  -d '{
  "user": {
    "username": "prueba",
    "email": "prueba@test.com",
    "password": "test",
    "admin": true
  }
}'

and receive its information.

2. I create the application:

 curl -X POST \
  http://localhost:3005/v1/applications \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-token: 63e70d08-e302-44f3-9df1-a6edce24b4bc' \
  -d '{
  "application": {
    "name": "Testing",
    "description": "This application is for testing",
    "redirect_uri": "http://testing/login",
    "url": "http://testing",
    "grant_type": [
      "authorization_code",
      "implicit",
      "password",
      "client_credentials"
    ],
    "token_types": ["permanent"]
  }
}'

The answer is:

{
    "application": {
        "id": "b6b2111c-3625-4f16-8d27-a8c50779e14f",
        "secret": "b24730ea-cff1-4e13-a198-e341027a700d",
        "image": "default",
        "jwt_secret": null,
        "name": "Testing",
        "description": "This application is for testing",
        "redirect_uri": "http://testing/login",
        "url": "http://testing",
        "grant_type": "client_credentials,password,authorization_code,implicit",
        "token_types": "permanent,bearer",
        "response_type": "code,token"
    }
}

3. I create a permission associated with the application:

curl -X POST \
  http://localhost:3005/v1/applications/b6b2111c-3625-4f16-8d27-a8c50779e14f/permissions \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-token: 63e70d08-e302-44f3-9df1-a6edce24b4bc' \
  -d '{
  "permission": {
    "name": "Unlock",
    "action": "POST",
    "resource": "/door/unlock"
  }
}'

The answer is:

{
    "permission": {
        "id": "27e321b0-4f1e-4e76-ab95-2ab80c271d34",
        "is_internal": false,
        "name": "Unlock",
        "action": "POST",
        "resource": "/door/unlock",
        "oauth_client_id": "b6b2111c-3625-4f16-8d27-a8c50779e14f"
    }
}

4. I create a rol associated with the application:

curl -X POST \
  http://localhost:3005/v1/applications/b6b2111c-3625-4f16-8d27-a8c50779e14f/roles \
  -H 'Content-Type: application/json' \
  -H 'X-auth-token: 63e70d08-e302-44f3-9df1-a6edce24b4bc' \
  -d '{
  "role": {
    "name": "Testing"
  }
}'

The answer is:

{
    "role": {
        "id": "bbc99449-f4af-4f77-bae1-f14b02687b67",
        "is_internal": false,
        "name": "Testing",
        "oauth_client_id": "b6b2111c-3625-4f16-8d27-a8c50779e14f"
    }
}

5. I associate rol, permission and user for the application:

curl -X POST \
  http://localhost:3005/v1/applications/b6b2111c-3625-4f16-8d27-a8c50779e14f/users/3830cabf-fe24-49f3-928d-e1d7b5b85b42/roles/bbc99449-f4af-4f77-bae1-f14b02687b67 \
  -H 'Content-Type: application/json' \
  -H 'X-Auth-token: 63e70d08-e302-44f3-9df1-a6edce24b4bc'

The answer is:

{
    "role_user_assignments": {
        "role_id": "bbc99449-f4af-4f77-bae1-f14b02687b67",
        "user_id": "3830cabf-fe24-49f3-928d-e1d7b5b85b42",
        "oauth_client_id": "b6b2111c-3625-4f16-8d27-a8c50779e14f"
    }
}

6. I get the Authorization key with echo id_app:secret_app | base:

YjZiMjExMWMtMzYyNS00ZjE2LThkMjctYThjNTA3NzllMTRmOmIyNDczMGVhLWNmZjEtNGUxMy1h
MTk4LWUzNDEwMjdhNzAwZAo=

7. Finally, I try to login through Oauth:

curl -X POST \
  http://localhost:3005/oauth2/token \
  -H 'Accept: application/json' \
  -H 'Authorization: Basic YjZiMjExMWMtMzYyNS00ZjE2LThkMjctYThjNTA3NzllMTRmOmIyNDczMGVhLWNmZjEtNGUxMy1hMTk4LWUzNDEwMjdhNzAwZAo=' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'username=prueba@test.com&password=test&grant_type=password'

The answer is:

"error": "invalid_client"

And the docker log:

POST /oauth2/token 400 1.127 ms - 26
Thu, 21 Feb 2019 11:56:40 GMT idm:oauth_controller  --> token
Thu, 21 Feb 2019 11:56:40 GMT idm:oauth_controller Error invalid_client: [object Object]

Thank you so much in advance.

[KonoMaxi]

Hi @CristinaVTx ,
welcome to the club of people this problem struck.

Somehow our base64 encoding is off, see https://stackoverflow.com/a/58205722
It should've been echo -n id_app:secret_app | base.

As I expect you already hung yourself over this problem (as I was also close to kicking the chair), I provide this answer for future generations of fiware administrators.

Sidenote: when you take a closer look at the examples, their base64-strings always end with ==, while ours end with o=.

Regards,
Max