Error getting token when upgrading from 4.1.2 to 4.1.3 or greater

Question

Error getting token when upgrading from 4.1.2 to 4.1.3 or greater

cjkele opened this issue 3 years ago · comments

I have a rest api using .net core 6 calling another api which requires authorization, so I am using the IdentityModel.AspNetCore library following the "Worker Applications" usage in the documentation and it has been working fine for some time (1yr).

When I upgrade the IdentityModel.AspNetCore library to anything past 4.1.2 the library no longer seems to be able to get a token from a Keycloak server. It is behaving as if I am passing bad credentials but if I downgrade back down to 4.1.2 or less it works again.

The error message in the log is:

fail: IdentityModel.AspNetCore.AccessTokenManagement.ClientAccessTokenManagementService[0]
      Error requesting access token for client iam_keycloak. Error = unauthorized_client. Error description = INVALID_CREDENTIALS: Invalid client credentials

Startup.cs#ConfigureServices()
{
            services.AddAccessTokenManagement(options =>
            {
                options.Client.Clients.Add("iam_keycloak", new ClientCredentialsTokenRequest
                {
                    Address = "https://mykeycloakinstance/auth/realms/myrealm/protocol/openid-connect/token",
                    ClientId = "client_name:api-confidential",                 
                    ClientSecret = "zzzzzzzzzzz-zzzz-zzzzz-zzzzz-zzzzzzzzzzzz"  
                });
            });

services.AddTransient<HttpLoggingHandler>();

            services.AddRefitClient<IMyRefitApiClient>()
              .ConfigureHttpClient(c =>
              {
                  c.BaseAddress = new Uri("api url"); 
              })
              .AddHttpMessageHandler<HttpLoggingHandler>()
              .AddClientAccessTokenHandler("iam_keycloak"); 


}

cjkele · Answer 1 · Wed Apr 06 2022 00:38:39 GMT+0800 (China Standard Time)

This can be closed. I found the issue and it was related to this breaking change. Is this something that would benefit being documented in the worker documentation?

https://github.com/IdentityModel/IdentityModel/pull/429/files

#268

I fixed it by adding this line to my ClientCredentialsTokenRequest

                options.Client.Clients.Add("iam_keycloak", new ClientCredentialsTokenRequest
                {
                   ...
                    ClientCredentialStyle = ClientCredentialStyle.PostBody
                });

Dominick Baier · Answer 2 · Wed Apr 06 2022 00:45:40 GMT+0800 (China Standard Time)

Ah I see - yes the underlying IdentityModel library did that change.

PostBody is not really recommended per RFC6749. Surprised keycloak does not suppoart authZ header.

github-actions · Answer 3 · Sat Jul 09 2022 09:36:29 GMT+0800 (China Standard Time)

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue.