If you need to use Basic Client Authentication + mTLS for authentication, you need to turn off basic authenticator. IIRC, clients should not use more than one method for authentication as per specification.
The given request meets two client authenticator criteria. Basic client authenticator and Basic + mTLS client authenticator. On Fri, Jan 18, 2019 at 4:43 PM Kaveen Rodrigo <[email protected]> wrote: > Hey Farasath, > > I tried it without the client_secret and it works out, And then I realized > probably the *" Allow authentication without the client secret"* is > causing the problem (we use this as we validate transport layer > certificates on the gateway) Now it works :-) > > We'll have to take a look at it from our end. > > Thanks, Have a nice weekend, > Kaveen Rodrigo > > On Fri, Jan 18, 2019 at 4:17 PM Farasath Ahamed <[email protected]> > wrote: > >> Hi Kaveen, >> >> Can you try the same request without sending the client_secret in the >> request (send only the client_id) ? >> >> On Friday, January 18, 2019, Kaveen Rodrigo <[email protected]> wrote: >> >>> Hey all, >>> >>> I'm having some trouble getting a token with *client_credentials *grant >>> and mutual TLS where it fails with the error message *"**The client >>> MUST NOT use more than one authentication method in each" *refer >>> request below >>> >>> curl -k -d >>> "grant_type=client_credentials&scope=accounts&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>" >>> >>> \ -H "Content-Type: application/x-www-form-urlencoded" >>> >>> \ --cert cert.crt --key key.key -X POST >>> https://203.94.95.194:8243/token >>> >>> I'm using *wso2ob-km 5.7.0 (WSO2 Identity Server 5.7.0)* with OAuth >>> logs enabled, and I get the following output. >>> >>> TID: [-1234] [] [2019-01-18 02:51:54,108] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - Executing OAuth client authenticators. >>> TID: [-1234] [] [2019-01-18 02:51:54,108] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - Retrieving registered OAuth client authenticator list. >>> TID: [-1234] [] [2019-01-18 02:51:54,112] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - Evaluating canAuthenticate of authenticator : >>> PrivateKeyJWTClientAuthenticator >>> TID: [-1234] [] [2019-01-18 02:51:54,113] DEBUG >>> {org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator} >>> - Authenticate Requested with clientAssertionType : null*TID: [-1234] [] >>> [2019-01-18 02:51:54,114] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - PrivateKeyJWTClientAuthenticator authenticator cannot handle this >>> request. >>> *TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - Evaluating canAuthenticate of authenticator : >>> BasicOAuthClientCredAuthenticator >>> TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} >>> - Basic auth credentials present as body params. Hence returning true >>> TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - BasicOAuthClientCredAuthenticator authenticator can handle incoming >>> request. >>> TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - Authenticator BasicOAuthClientCredAuthenticator can authenticate the >>> client request. Hence trying to evaluate authentication*TID: [-1234] [] >>> [2019-01-18 02:51:54,115] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} >>> - Authenticating client : <CLIENT_ID>with client secret. >>> *TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >>> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials >>> were fetched from the database.*TID: [-1234] [] [2019-01-18 02:51:54,139] >>> DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully >>> authenticated the client with client id : <CLIENT_ID> >>> *TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >>> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials >>> were added to the cache for client id : <CLIENT_ID> >>> TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - Authentication result from OAuth client authenticator >>> BasicOAuthClientCredAuthenticator is : true >>> TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - Evaluating canAuthenticate of authenticator : PublicClientAuthenticator >>> TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - PublicClientAuthenticator authenticator can handle incoming request. >>> TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - Previously an authenticator is evaluated. Hence authenticator >>> PublicClientAuthenticator is not evaluating >>> TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - Authenticator PublicClientAuthenticator can authenticate the client >>> request. Hence trying to evaluate authentication*TID: [-1234] [] >>> [2019-01-18 02:51:54,161] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - 2 Authenticators were executed previously. Hence failing client >>> authentication >>> TID: [-1234] [] [2019-01-18 02:51:54,161] DEBUG >>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>> - Setting error to client authentication context : Error code : >>> invalid_request, Error message : The client MUST NOT use more than one >>> authentication method in each >>> *TID: [-1234] [] [2019-01-18 02:51:54,184] DEBUG >>> {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request >>> received for Client ID <CLIENT_ID>, User ID null, Scope : [accounts] and >>> Grant Type : client_credentials >>> TID: [-1234] [] [2019-01-18 02:51:54,192] INFO >>> {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The >>> default OAuth token issuer will be used. No custom token generator is set. >>> TID: [-1234] [] [2019-01-18 02:51:54,192] INFO >>> {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The >>> default Identity OAuth token issuer will be used. No custom token generator >>> is set. >>> TID: [-1234] [] [2019-01-18 02:51:54,315] DEBUG >>> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Successfully >>> created AppInfoCache under OAuthCacheManager >>> TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG >>> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Triggering >>> access token pre issuer listeners for client: <CLIENT_ID> >>> TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG >>> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - >>> OAuth-Error-Code=invalid_request >>> client-id=<CLIENT_ID>grant-type=client_credentials scope=accounts >>> TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG >>> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Triggering >>> access token post issuer listeners for client: <CLIENT_ID> >>> >>> How can I mitigate this behavior? Disable some of the authenticators? >>> set priority? >>> Please give your input, >>> >>> Thanks In advance, >>> Kaveen Rodrigo >>> >>> -- >>> *Kaveen Rodrigo * >>> Software Engineer | WS02 >>> >>> Email : [email protected] >>> Mobile : +94779684749 >>> Web : http://www.wso2.com >>> >>> <http://goog_953536661> >>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>> >> >> >> -- >> Farasath Ahamed >> Senior Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> >> >> > > -- > *Kaveen Rodrigo * > Software Engineer | WS02 > > Email : [email protected] > Mobile : +94779684749 > Web : http://www.wso2.com > > <http://goog_953536661> > [image: http://wso2.com/signature] <http://wso2.com/signature> > -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
