Hey Farasath, I tried it without the client_secret and it works out, And then I realized probably the *" Allow authentication without the client secret"* is causing the problem (we use this as we validate transport layer certificates on the gateway) Now it works :-)
We'll have to take a look at it from our end. Thanks, Have a nice weekend, Kaveen Rodrigo On Fri, Jan 18, 2019 at 4:17 PM Farasath Ahamed <[email protected]> wrote: > Hi Kaveen, > > Can you try the same request without sending the client_secret in the > request (send only the client_id) ? > > On Friday, January 18, 2019, Kaveen Rodrigo <[email protected]> wrote: > >> Hey all, >> >> I'm having some trouble getting a token with *client_credentials *grant >> and mutual TLS where it fails with the error message *"**The client MUST >> NOT use more than one authentication method in each" *refer request >> below >> >> curl -k -d >> "grant_type=client_credentials&scope=accounts&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>" >> >> \ -H "Content-Type: application/x-www-form-urlencoded" >> >> \ --cert cert.crt --key key.key -X POST https://203.94.95.194:8243/token >> >> I'm using *wso2ob-km 5.7.0 (WSO2 Identity Server 5.7.0)* with OAuth logs >> enabled, and I get the following output. >> >> TID: [-1234] [] [2019-01-18 02:51:54,108] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - Executing OAuth client authenticators. >> TID: [-1234] [] [2019-01-18 02:51:54,108] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - Retrieving registered OAuth client authenticator list. >> TID: [-1234] [] [2019-01-18 02:51:54,112] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - Evaluating canAuthenticate of authenticator : >> PrivateKeyJWTClientAuthenticator >> TID: [-1234] [] [2019-01-18 02:51:54,113] DEBUG >> {org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator} >> - Authenticate Requested with clientAssertionType : null*TID: [-1234] [] >> [2019-01-18 02:51:54,114] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - PrivateKeyJWTClientAuthenticator authenticator cannot handle this >> request. >> *TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - Evaluating canAuthenticate of authenticator : >> BasicOAuthClientCredAuthenticator >> TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} >> - Basic auth credentials present as body params. Hence returning true >> TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - BasicOAuthClientCredAuthenticator authenticator can handle incoming >> request. >> TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - Authenticator BasicOAuthClientCredAuthenticator can authenticate the >> client request. Hence trying to evaluate authentication*TID: [-1234] [] >> [2019-01-18 02:51:54,115] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} >> - Authenticating client : <CLIENT_ID>with client secret. >> *TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were >> fetched from the database.*TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully >> authenticated the client with client id : <CLIENT_ID> >> *TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were >> added to the cache for client id : <CLIENT_ID> >> TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - Authentication result from OAuth client authenticator >> BasicOAuthClientCredAuthenticator is : true >> TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - Evaluating canAuthenticate of authenticator : PublicClientAuthenticator >> TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - PublicClientAuthenticator authenticator can handle incoming request. >> TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - Previously an authenticator is evaluated. Hence authenticator >> PublicClientAuthenticator is not evaluating >> TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - Authenticator PublicClientAuthenticator can authenticate the client >> request. Hence trying to evaluate authentication*TID: [-1234] [] >> [2019-01-18 02:51:54,161] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - 2 Authenticators were executed previously. Hence failing client >> authentication >> TID: [-1234] [] [2019-01-18 02:51:54,161] DEBUG >> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >> - Setting error to client authentication context : Error code : >> invalid_request, Error message : The client MUST NOT use more than one >> authentication method in each >> *TID: [-1234] [] [2019-01-18 02:51:54,184] DEBUG >> {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request >> received for Client ID <CLIENT_ID>, User ID null, Scope : [accounts] and >> Grant Type : client_credentials >> TID: [-1234] [] [2019-01-18 02:51:54,192] INFO >> {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The >> default OAuth token issuer will be used. No custom token generator is set. >> TID: [-1234] [] [2019-01-18 02:51:54,192] INFO >> {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The >> default Identity OAuth token issuer will be used. No custom token generator >> is set. >> TID: [-1234] [] [2019-01-18 02:51:54,315] DEBUG >> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Successfully >> created AppInfoCache under OAuthCacheManager >> TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG >> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Triggering >> access token pre issuer listeners for client: <CLIENT_ID> >> TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG >> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - >> OAuth-Error-Code=invalid_request >> client-id=<CLIENT_ID>grant-type=client_credentials scope=accounts >> TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG >> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Triggering >> access token post issuer listeners for client: <CLIENT_ID> >> >> How can I mitigate this behavior? Disable some of the authenticators? set >> priority? >> Please give your input, >> >> Thanks In advance, >> Kaveen Rodrigo >> >> -- >> *Kaveen Rodrigo * >> Software Engineer | WS02 >> >> Email : [email protected] >> Mobile : +94779684749 >> Web : http://www.wso2.com >> >> <http://goog_953536661> >> [image: http://wso2.com/signature] <http://wso2.com/signature> >> > > > -- > Farasath Ahamed > Senior Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > > -- *Kaveen Rodrigo * Software Engineer | WS02 Email : [email protected] Mobile : +94779684749 Web : http://www.wso2.com <http://goog_953536661> [image: http://wso2.com/signature] <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
