September 14, 2020 at 5:33 am #28267
Hi Everyone, is there any examples that are using C# (ideally OWIN) to authenticate? I am trying to setup SSO integration with ForgeRock and my application. I have downloaded and configuration AM-eval-6.5.1 which appeared to be working as I am able to login, configure and create a application. I created a new Realm with a single application. I have set the ClientName and Secret to be the same, the scope(s) and default scope(s) are set to openid.
The problem I am encountering is invalid_client Client authentication failed on redirection to ForgeRock.
I have seen this link changing Token Endpoint Authentication Method to client_secret_post but this made no difference. https://backstage.forgerock.com/knowledge/kb/article/a27814899.
I can see a 400 error in fiddler.
Clearly I have missed something but I am at a miss as to what. Any suggestion would be gratefully received.September 14, 2020 at 5:34 am #28268
This is the message being sent:
GET http://<machinednsname fqdn>:9090/AM-eval-6.5.1/oauth2/authorize?client_id=OpenIdcTest&response_type=id_token&scope=openid&state=OpenIdConnect.AuthenticationProperties%3Dio3AMu9_U6PHKqNcGcIl1D717ut6bliZSrlrRL-5ivCwomLCu-OclPyaIBd4aun0hP-g2-hUyBAhMYqAaj6-hYeaEg3ofUAVqnW9lVDhoexKDaM1RgSAKtFGz_xrk1ow0l55q0N4zmK1UcaD6cxXh2U7PRoyjksUOVTW6GakZvk&response_mode=form_post&nonce=637356495226468586.NDZmYjBkMjItMzk2NC00ZTg5LWE3NDAtMDMzNTdkMmI5ZmIzNDA0MmYzYWItMTMxMS00MjZiLWFjZWEtMmUxMjQxMzI4ZDNm&redirect_uri=http%3A%2F%2Flocalhost%2F Host: <machine name not fqdn>:9090 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-NZ,en;q=0.9</em>
September 14, 2020 at 5:37 am #28270
- This reply was modified 2 months, 1 week ago by KMORGAN.
Response is invalid_client Client authentication failed
Sorry I can’t paste the whole message here as its blocked by the forum,
description: “Client authentication failed”,
message: “invalid_client”September 14, 2020 at 6:46 am #28271
I am assuming that it can’t access the Realm as if i create the application on the Top Level Realm I get a different error (server_error server_error (400) – The authorization server encountered an unexpected condition which prevented it from fulfilling the request.)September 14, 2020 at 9:40 am #28272Andrew PotterParticipant
I see you say you created a realm. From your API call it looks like you are not specifying the realm in the URL.
See the note on composing the URL with a realm name here: https://backstage.forgerock.com/docs/am/7/oauth2-guide/oauth2-authorize-endpoint.html. (It’s the same for v6.5)
i.e. you’ll need something like ‘oauth2/realms/root/realms/<your-realm>/authorize’September 14, 2020 at 3:59 pm #28273Jatinder SinghParticipant
Addition to what Andrew has already mentioned: To determine what OAuth2 endpoints (e.g. /authorize, /access_token, /introspect) are being published by the Authorization server, you can query the the below endpoint:
http://<machinednsname fqdn>:9090/AM-eval-6.5.1/oauth2/realms/root/realms/YOUR_REALM/.well-known/openid-configurationSeptember 15, 2020 at 3:14 am #28274
Excellent thanks for the tip on that the URL needing to contain the realm. That has moved me along but now I am getting other error and am no longer seeing the ForgeRock landing.
Fiddler is showing that the redirection once ForgeRock is contacted. From the URL is appears that the that there is a setting issue.
The error on the URL is ‘unsupported_response type’.
This is the request that was sent.
GET http://ap-chc-lt179:9090/AM-eval-6.5.1/oauth2/realms/root/realms/OpenIdcTest/authorize?client_id=OpenIdcTest&response_type=token&scope=openid&state=OpenIdConnect.AuthenticationProperties%3D9ohXPw50SIqiU8G5MESHYFOwVhkUfX498bNIKOKHrWjBxDTpnh9cJbN3a2V_yfT7Lmt7t6Oadl03GHIEty5nCDbBghTSpMampv940L7KiSDAgyisNocBFhgqysl__PGyXPoSPVOeqaMheL7MuHF9tfBER0HDUPve8ZQOsDhx3mo&response_mode=form_post&nonce=637357231049035335.ZWE4NmM2YzAtMTI3Mi00NTBlLWE0MGEtZjdhZTVhNGFmZGVjZGNiOTE2NGQtNTg1Zi00OTgxLTljYjctZjRlYThjODdkMDBj&redirect_uri=http%3A%2F%2Flocalhost%2FAxWebOrigination%2FOpenIdConnectCallback&x-client-SKU=ID_NET461&x-client-ver=126.96.36.199 HTTP/1.1
In my client configuration I have the following:
Grant Types, All selected
Response Types I have ‘code’,’id_token’,’token’,’code token’,’token id_token’,’code id_token’,’code token id_token’,’none’ .
Token Endpoint Authentication Method, client_secret_post
I am grateful for any further suggestions.September 15, 2020 at 3:29 am #28275
I have also tried with response type of id_token too with the same response…
http://ap-chc-lt179:9090/AM-eval-6.5.1/oauth2/realms/root/realms/OpenIdcTest/authorize?client_id=OpenIdcTest&response_type=id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3Dv99ygdGhfUxGeg_WVQyRUk2ZJyzjPe2_16Kxfd0pTqLIQ9zUwe5NntZS3nC7SpEkriyGeALqPg6b_qOhmbiBpRcAe0EP685J-Uj-y6MXVEjkDbB40shr0LcagHOrnqKr-GoEyZo_VzjV9ZNe9otSZtKCCdUb8jaE3YcjzqOMhVw&response_mode=form_post&nonce=637357300946805779.M2JkNTMzNGMtOGUxZS00MWFlLWI2ZmEtNThiOWMwNTg5N2FkMmM4NjFhNDMtMjQ4Zi00ZGYzLWI4MDItNDRjMTc5MTg1MGI1&redirect_uri=http%3A%2F%2Flocalhost%2FAxWebOrigination%2FOpenIdConnectCallback&x-client-SKU=ID_NET461&x-client-ver=188.8.131.52 HTTP/1.1September 15, 2020 at 4:50 am #28276
Thanks everyone for your help. I just got it working. My problem was the scope was mismatched between the ForgeRock and the OWIN Configuration in C#. Once corrected I am able redirect login and then receive a JWT token that need for further processing.
Once again thanks for your help.
- This reply was modified 2 months, 1 week ago by KMORGAN.
You must be logged in to reply to this topic.