External Login, AuthenticationFailureException: "invalid_client" on callback

[cliffi30]

IdentityServer version

version 7, latest release

.NET version

.net 8

Description

I am trying to setup an additional federated login in combination with a pushed autorisation request on our identity server. The first part of the external login process seems to work fine. The PAR request is handled and the user can login using the 3rd party server. However then the redirect back to our server produceds an Error 500. The error message indicateds that something is wrong with the client Id.

Reproduction steps

• start login process on idp
• pushed authorization request (using class ParOidcEvents from your sample) is initated and works
• user can authorize with 3rd party
• 3rd party redirects to the provided return_url with response mode "query" (not standard signin-oidc as we have multiple 3rd party loging providers)
  Request
  [ GET
  https://localhost:5001/signin-mobilId?code=K1atxcxnVO3AR2_W-y7piw.JN8rFEYNiDDjPgBOZZhwvw&iss=https://openid.mobileid.ch&state=CfDJ8A_rdoVuF_hPiKPwZTECehWPWOndGQe7ujZfMe8A322BdnCRDtYcEVTsSyyrRp5x5TSyqsMw4woCRoRXt1chicaxKZ18c3iKSYq2R_Dq8qtxRlHEY73kNLzNefDSNVheKgdSMXn2L_qm9Befm0Qz1khdNgy7HT5DhFi8WbYv2rf
  ]

receiving error:

OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'Invalid client: Possible causes may be missing / invalid client_id, missing client authentication, invalid or expired client secret, invalid or expired JWT authentication, invalid or expired client X.509 certificate, or an unexpected client authentication method', error_uri: 'error_uri is null'.

Expected behavior

I would excpected that the Authorization Handler validates the query parameters and (external) signs in the user at this point. Then it redirects to the External Controller Callback Methode so I can manualy do what is needed and finally locally sign in the user after matching him with the local database.

Logs

[16:47:24 Error] Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware
An unhandled exception has occurred while executing the request.
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'Invalid client: Possible causes may be missing / invalid client_id, missing client authentication, invalid or expired client secret, invalid or expired JWT authentication, invalid or expired client X.509 certificate, or an unexpected client authentication method', error_uri: 'error_uri is null'.
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:line 39
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 51
   at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
   at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

Additional context

Setup in Startup.cs

o.Authority = mobileIdSettings.Authority;
o.ClientId = mobileIdSettings.ClientId;
o.ClientSecret = mobileIdSettings.ClientSecret;
o.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
o.Scope.Clear();
o.Scope.Add(OpenIdConnectScope.OpenIdProfile);
o.Scope.Add(OpenIdConnectScope.Phone);
o.ResponseType = OpenIdConnectResponseType.Code;
o.ResponseMode = OpenIdConnectResponseMode.Query;
o.GetClaimsFromUserInfoEndpoint = true;
o.ClaimActions.MapUniqueJsonKey(Constants.Claims.PhoneNumber, "phone_number");
o.UsePkce = true;
o.SaveTokens = true;
o.CallbackPath = mobileIdSettings.CallbackPath;

        o.Events = new OpenIdConnectEvents()
        {
        OnTokenValidated = context =>
        {
            var idpClaim = context.Principal?.FindFirst("idp");
            if (idpClaim != null)
            {
                // Replace the IdP claim value with "local"
                var claimsIdentity = (ClaimsIdentity)context.Principal.Identity;
                claimsIdentity?.RemoveClaim(idpClaim);
                claimsIdentity?.AddClaim(new Claim("idp", IdentityServerConstants.LocalIdentityProvider));
            }

            return Task.CompletedTask;
        }
        };

        // needed to add PAR support
        o.EventsType = typeof(ParOidcEvents);

I have been looking in the old support discussion and found these two threads. I looked into the solution from 889 together with the provider. I applied the fix from 889 but the event does not seem to get triggered at all.
DuendeArchive/Support#345
DuendeArchive/Support#889

[RolandGuijt]

The error you're seeing is most probably from the external identity provider. Can you somehow check what is going wrong there? Maybe you have access to the logs e.g.
Since the error seems to happen during code for token exchange could it be as simple as the client secret that isn't configured or not configured correctly?

[cliffi30]

I managed to find out what the problem was and why the authorization code exchange failed.

With PAR in place this external IDP will enforce authentication not only on the PAR endpoint but also on the token endpoint. So when I received the authorization code and when trying to exchange the code for a token it rejected the request.
I figured that out quite quickly and was trying to solve the problem by adding the suggested code from ticket 899 in my Startup.cs class, right where AddOpenIdConnect() is called and the setup of the external provider takes place.

options.Events.OnAuthorizationCodeReceived = context =>
{
    context.Backchannel.SetBasicAuthenticationOAuth(context.TokenEndpointRequest.ClientId, context.TokenEndpointRequest.ClientSecret);
    return Task.CompletedTask;
};

However, this is not working. When using a specifice class i.e. ParOidcEvents that inherits from OpenIdConnectEvents as shown in the Duende PAR example, the events will not fire in the Startup class. Muchmore one must overide the Methode in the ParOidcEvents class:

public override Task AuthorizationCodeReceived(AuthorizationCodeReceivedContext context)
    {
        Log.Information("AuthorizationCodeReceived");
        context.Backchannel.SetBasicAuthenticationOAuth(context.TokenEndpointRequest.ClientId, context.TokenEndpointRequest.ClientSecret);
        return base.AuthorizationCodeReceived(context);
    }

With this in place it works