Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Following connectors/local example results in "Invalid client credentials" #183

Open
SimonTheLeg opened this issue Sep 18, 2024 · 1 comment · May be fixed by #184
Open

Following connectors/local example results in "Invalid client credentials" #183

SimonTheLeg opened this issue Sep 18, 2024 · 1 comment · May be fixed by #184

Comments

@SimonTheLeg
Copy link

Following the guide at https://dexidp.io/docs/connectors/local/, I am running into some issues:

If you copy the example from the Obtaining a token section and set it up with sqllite as storage...

issuer: http://localhost:8080/dex
storage:
  type: sqlite3
  config:
    file: sqlite/dex.db
# Setup clients
staticClients:
  - id: public-client
    public: true
    name: 'Public Client'
    redirectURIs:
      - 'https://example.com/oidc/callback'
  - id: private-client
    secret: app-secret
    name: 'Private Client'
    redirectURIs:
      - 'https://example.com/oidc/callback'
# Set up an test user
staticPasswords:
  - email: "[email protected]"
    # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
    username: "admin"
    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

# Enable local users
enablePasswordDB: true
# Allow password grants with local users
oauth2:
  passwordConnector: local

You will get

❯ dex serve dex-config.yaml
time=2024-09-18T18:55:12.589+02:00 level=INFO msg="Version info" dex_version=v2.41.1 go.version=go1.22.6 go.os=darwin go.arch=amd64
invalid Config:
        -       must supply a HTTP/HTTPS  address to listen on

Which is a bit unconvenient, but still can be fixed easily by adding the web.http section to the config:

issuer: http://localhost:8080/dex
storage:
  type: sqlite3
  config:
    file: sqlite/dex.db
# Setup clients
staticClients:
  - id: public-client
    public: true
    name: 'Public Client'
    redirectURIs:
      - 'https://example.com/oidc/callback'
  - id: private-client
    secret: app-secret
    name: 'Private Client'
    redirectURIs:
      - 'https://example.com/oidc/callback'
# Set up an test user
staticPasswords:
  - email: "[email protected]"
    # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
    hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
    username: "admin"
    userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

# Enable local users
enablePasswordDB: true
# Allow password grants with local users
oauth2:
  passwordConnector: local

web:
  http: 127.0.0.1:8080

And then dex starts

❯ dex serve dex-config.yaml
time=2024-09-18T18:56:27.263+02:00 level=INFO msg="Version info" dex_version=v2.41.1 go.version=go1.22.6 go.os=darwin go.arch=amd64
time=2024-09-18T18:56:27.263+02:00 level=INFO msg="config issuer" issuer=http://localhost:8080/dex
time=2024-09-18T18:56:27.296+02:00 level=INFO msg="config storage" storage_type=sqlite3
time=2024-09-18T18:56:27.296+02:00 level=INFO msg="config static client" client_name="Public Client"
time=2024-09-18T18:56:27.296+02:00 level=INFO msg="config static client" client_name="Private Client"
time=2024-09-18T18:56:27.297+02:00 level=INFO msg="config connector: local passwords enabled"
time=2024-09-18T18:56:27.297+02:00 level=INFO msg="config using password grant connector" password_connector=local
time=2024-09-18T18:56:27.298+02:00 level=INFO msg="config refresh tokens rotation" enabled=true
time=2024-09-18T18:56:27.308+02:00 level=INFO msg="keys expired, rotating"
time=2024-09-18T18:56:27.384+02:00 level=INFO msg="keys rotated" next_rotation=2024-09-18T22:56:27.372Z
time=2024-09-18T18:56:27.385+02:00 level=INFO msg="listening on" server=http address=127.0.0.1:8080

However you still will not be able to to run the curl examples from the Public Client or Private Client section at the bottom of the document

# side-note the hash comment in the middle of the line also breaks shells like zsh, so I have removed it here
curl -L -X POST 'http://localhost:8080/dex/token' \
-H 'Authorization: Basic cHVibGljLWNsaWVudAo=' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid profile' \
--data-urlencode '[email protected]' \
--data-urlencode 'password=admin'

{"error":"invalid_client","error_description":"Invalid client credentials."}

At first I thought this was due to the fact that in the config the password is actually set to "password" and not "admin", but still the same issue

❯ curl -L -X POST 'http://localhost:8080/dex/token' \
-H 'Authorization: Basic cHVibGljLWNsaWVudAo=' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid profile' \
--data-urlencode '[email protected]' \
--data-urlencode 'password=password'
{"error":"invalid_client","error_description":"Invalid client credentials."}

I have also tried both variations with 'username=admin', but with the same result.

Can you advise how to get retrieving the token using curl to work? Happy to contribute this back to the guide in addition to the adaptations I made above.
@SimonTheLeg
Copy link
Author

Okay I finally figured out how it works. The Authorization header seemed to be the issue. The following works

❯ curl -L -X POST 'http://localhost:8080/dex/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid email' \
--data-urlencode '[email protected]' \
--data-urlencode 'password=password' \
--data-urlencode 'client_id=public-client'

Will create a Docs PR tomorrow :)

@SimonTheLeg SimonTheLeg linked a pull request Sep 27, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix builtin connector example SimonTheLeg/dex-website
1 participant
@SimonTheLeg