Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid Grant error when deployed to Production #116

Open
fraserbooth opened this issue Sep 17, 2021 · 4 comments
Open

Invalid Grant error when deployed to Production #116

fraserbooth opened this issue Sep 17, 2021 · 4 comments
Labels
question

Comments

@fraserbooth
Copy link

fraserbooth commented Sep 17, 2021
edited
Loading

First a big thank you to @leastprivilege for all your amazing work :)

I've inherited a solution that uses Identity Server 4 and is working well. While experimenting with this sample it works fine against localhost, but when trying to connect the Client to Production I'm getting:

'Invalid grant type for client: "authorization_code"'

I've been exploring the issue on StackOverflow:
https://stackoverflow.com/questions/69183994/identity-server4-gives-invalid-grant-error-when-deployed-to-production-but-wo?noredirect=1#comment122318014_69183994

...and the conclusion seems to be that in Production the Client also needs HTTPS. I suppose you have used this sample in Production against an SSL Secured Identity Server 4. Did you have any issues?

When changing the RedirectUri to HTTPS I get:

'HTTPS endpoints can only be configured using KestrelServerOptions.Listen().'

...and am now stuck in various loops trying to work out how to configure Kestrel and get Certificates onto Client machines to integrate into my solution. Just wanting to make sure I'm barking up the right tree and see if there is an easier way :)

Further reading of closed issue #89:
...in this Repo suggests that http loopback should still be fine in Production:
https://tools.ietf.org/html/rfc8252#section-7
...so I'm at loose end where I've gone wrong.
@leastprivilege
Copy link
Contributor

You need to check the server logs why you are getting the invalid_grant. I am sure it is a config problem.

@fraserbooth
Copy link
Author

fraserbooth commented Sep 20, 2021
edited
Loading

Thank you for you reply :)

The server logs show the following:

Start authorize request
No user present in authorize request
Start authorize request protocol validation
desktopClient found in database: True
client configuration validation for client "desktopClient" succeeded.
Checking for PKCE parameters
AuthorizeRequestValidationLog { ClientId: "desktopClient", ClientName: "Desktop", RedirectUri: "http://127.0.0.1:53508", AllowedRedirectUris: ["http://127.0.0.1:53508"], SubjectId: "anonymous", ResponseType: "code", ResponseMode: "query", GrantType: "authorization_code", RequestedScopes: "", State: "850ea39012d6cb9957943eec7e0d4940", UiLocales: null, Nonce: null, AuthenticationContextReferenceClasses: null, DisplayMode: null, PromptMode: null, MaxAge: null, LoginHint: null, SessionId: null, Raw: [("response_type": "code"), ("nonce": "cb71ec9cf7cd6ae6d4cad312f0a19769"), ("state": "850ea39012d6cb9957943eec7e0d4940"), ("code_challenge": "n-UyLEqkbUKjBFzP5-QQYjb5_l1G95pmtt6D_sqWUxE"), ("code_challenge_method": "S256"), ("client_id": "desktopClient"), ("scope": "openid profile api offline_access"), ("redirect_uri": "http://127.0.0.1:53508")] }
Invalid grant type for client: "authorization_code"
Request validation failed
AuthorizeRequestValidationLog { ClientId: "desktopClient", ClientName: "Desktop", RedirectUri: "http://127.0.0.1:53508", AllowedRedirectUris: ["http://127.0.0.1:53508"], SubjectId: "anonymous", ResponseType: "code", ResponseMode: "query", GrantType: "authorization_code", RequestedScopes: "", State: "850ea39012d6cb9957943eec7e0d4940", UiLocales: null, Nonce: null, AuthenticationContextReferenceClasses: null, DisplayMode: null, PromptMode: null, MaxAge: null, LoginHint: null, SessionId: null, Raw: [("response_type": "code"), ("nonce": "cb71ec9cf7cd6ae6d4cad312f0a19769"), ("state": "850ea39012d6cb9957943eec7e0d4940"), ("code_challenge": "n-UyLEqkbUKjBFzP5-QQYjb5_l1G95pmtt6D_sqWUxE"), ("code_challenge_method": "S256"), ("client_id": "desktopClient"), ("scope": "openid profile api offline_access"), ("redirect_uri": "http://127.0.0.1:53508")] }
TokenIssuedFailureEvent { ClientId: "desktopClient", ClientName: "Desktop", RedirectUri: "http://127.0.0.1:53508", Endpoint: "Authorize", SubjectId: null, Scopes: "", GrantType: "authorization_code", Error: "unauthorized_client", ErrorDescription: "Invalid grant type for client", Category: "Token", Name: "Token Issued Failure", EventType: Failure, Id: 2001, Message: null, ActivityId: "80004ac4-0000-ef00-b63f-84710c7967bb", TimeStamp: 09/12/2021 17:53:13, ProcessId: 20916, LocalIpAddress: "10.0.0.4:443", RemoteIpAddress: "195.206.180.132" }
Request finished in 810.6797ms 302

The Production config is working fine for my ReactJS Web App using the implicit Grant Type, but my understand is authorization_code is better for a Desktop App with Refresh Tokens etc.

My confusion is that I have the same configuration for the authorization_code on my local development environment which is working fine. I am not sure how to work out what config changes are needed between Local and Production.

@leastprivilege
Copy link
Contributor

What's the allowed grant types for the client in production?

@fraserbooth
Copy link
Author

In both Local & Production the Desktop Client is given GrantType "authorization_code" in the ClientGrantTypes table in SQL, however in Production its throwing this "Invalid grant type for client: "authorization_code"" error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leastprivilege @fraserbooth