Hi,
I work in a company that a few years ago purchased a license for a production software that is no longer maintained but contains a configuration for Oauth2.
When I enter the configuration parameters and I try to connect to the Keycloak server, I access the connection page and the connection request goes well and I access the token but my service also needs to know the user info at the endpoint user_info.
And that’s when the problems start, impossible for the service to access it, i obtain a BAD REQUEST error 400, and the response body looks like :
{
"error": "invalid_request",
"error_description": "Token not provided"
}
I work in a company that has a few years ago bought a new computer and when I look at the logs of my department, it gives this :
[2021-05-28 10:09:01,325] OAuth2.OAuth2Client: Redirecting to authorization endpoint '{{URL}}/auth/realms/test/protocol/openid-connect/auth?client_id=HybridMailTest&scope=profile+email&redirect_uri=https%3a%2f%2f{{URL}}%2fWebToPrint%2faco%2fHome%2fOAuth2LogInCallback%3freturnUrl%3d%252FWebToPrint%252Faco%26loginUrl%3d%252FWebToPrint%252Faco%252FHome%252FLogIn&response_type=code&state=b7386f22-4566-4c1e-88a2-7327810215ad'
[2021-05-28 10:09:20,964] OAuth2.OAuth2Client: Requesting access token on URL '{{URL}}/auth/realms/test/protocol/openid-connect/token' with query string 'client_id=HybridMailTest&client_secret=dee1e739-d886-4c6d-8b6a-0942151355d6&code=e71d13f3-d2aa-49e9-9492-1910ebaef12d.791750ce-4379-4d5e-8f9d-5230ec58f0f2.83ddaf2f-7047-48d6-bf0d-eec58ecc257e&grant_type=authorization_code&redirect_uri=https%3a%2f%2f{{URL}}%2fWebToPrint%2faco%2fHome%2fOAuth2LogInCallback%3freturnUrl%3d%252FWebToPrint%252Faco%26loginUrl%3d%252FWebToPrint%252Faco%252FHome%252FLogIn'.
[2021-05-28 10:09:21,088] OAuth2.OAuth2Client: Requesting user data on URL '{{URL}}/auth/realms/test/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJDakpYTkpDd2MtMENhQnlhX0txN1kzZ3RwZ3AxaUFLdERfUWM2OGQ1OGpvIn0.eyJleHAiOjE2MjIxODk2NTksImlhdCI6MTYyMjE4OTM1OSwiYXV0aF90aW1lIjoxNjIyMTg5MzU5LCJqdGkiOiJjMDIwNDJkNC03ZmVlLTQ4ZDAtYWM4Yy0wYmM2OTBhMWM3ZDIiLCJpc3MiOiJodHRwczovL3Nzby5wYXJhZ29uLXNvbHV0aW9uLmZyL2F1dGgvcmVhbG1zL3Rlc3QiLCJhdWQiOlsiVGVtcGxhdGVXZWJBcHAiLCJhY2NvdW50Il0sInN1YiI6IjBhNjViZTU2LWQ4NDAtNDcyNy1iMTM2LTllZGU2NTAzYTk2ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6Ikh5YnJpZE1haWxUZXN0Iiwic2Vzc2lvbl9zdGF0ZSI6Ijc5MTc1MGNlLTQzNzktNGQ1ZS04ZjlkLTUyMzBlYzU4ZjBmMiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7IlRlbXBsYXRlV2ViQXBwIjp7InJvbGVzIjpbInVzZXIiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJyb2xlcyI6WyJ1c2VyIl0sInByZWZlcnJlZF91c2VybmFtZSI6InVzZXIifQ.aXVx2TpptD2XoGN1KVw5_N3k1E_uqPb3uBjfpGt_gqPu_v4RuWOR9CngsSuCiyAaJT12GuKtHzeWUNWc6MuOjIGSsaz_6RPzU5kurdcSqiJk8Myr0uKEwTBKR0i4DB3r8_1fJKyCOUjyaKM7dvMGdo-I03FYmJP68Tbg35tTSz0huN4wSE7IYGbVczZKRFf5uVgRQeMdIOWbPKuDLldlUxc-vBRED8Vxvk4uG4lvrWWgEpTVabTffQ4JuSLDNuDzUZCNE3FoL6I8ZfX7njrP9KDqCu75_d3ws1txAcpjC1fX2KJQwNn_P9mWXw_YFFIlHJMj7nzIWZh76rAlyHckHw'.
[2021-05-28 10:09:21,118] Http.HttpCommunicator: Request to https://sso.paragon-solution.fr/auth/realms/test/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJDakpYTkpDd2MtMENhQnlhX0txN1kzZ3RwZ3AxaUFLdERfUWM2OGQ1OGpvIn0.eyJleHAiOjE2MjIxODk2NTksImlhdCI6MTYyMjE4OTM1OSwiYXV0aF90aW1lIjoxNjIyMTg5MzU5LCJqdGkiOiJjMDIwNDJkNC03ZmVlLTQ4ZDAtYWM4Yy0wYmM2OTBhMWM3ZDIiLCJpc3MiOiJodHRwczovL3Nzby5wYXJhZ29uLXNvbHV0aW9uLmZyL2F1dGgvcmVhbG1zL3Rlc3QiLCJhdWQiOlsiVGVtcGxhdGVXZWJBcHAiLCJhY2NvdW50Il0sInN1YiI6IjBhNjViZTU2LWQ4NDAtNDcyNy1iMTM2LTllZGU2NTAzYTk2ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6Ikh5YnJpZE1haWxUZXN0Iiwic2Vzc2lvbl9zdGF0ZSI6Ijc5MTc1MGNlLTQzNzktNGQ1ZS04ZjlkLTUyMzBlYzU4ZjBmMiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7IlRlbXBsYXRlV2ViQXBwIjp7InJvbGVzIjpbInVzZXIiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJyb2xlcyI6WyJ1c2VyIl0sInByZWZlcnJlZF91c2VybmFtZSI6InVzZXIifQ.aXVx2TpptD2XoGN1KVw5_N3k1E_uqPb3uBjfpGt_gqPu_v4RuWOR9CngsSuCiyAaJT12GuKtHzeWUNWc6MuOjIGSsaz_6RPzU5kurdcSqiJk8Myr0uKEwTBKR0i4DB3r8_1fJKyCOUjyaKM7dvMGdo-I03FYmJP68Tbg35tTSz0huN4wSE7IYGbVczZKRFf5uVgRQeMdIOWbPKuDLldlUxc-vBRED8Vxvk4uG4lvrWWgEpTVabTffQ4JuSLDNuDzUZCNE3FoL6I8ZfX7njrP9KDqCu75_d3ws1txAcpjC1fX2KJQwNn_P9mWXw_YFFIlHJMj7nzIWZh76rAlyHckHw ended with error. Status code: BadRequest
[2021-05-28 10:09:21,118] Http.HttpCommunicator: Response body: {"error":"invalid_request","error_description":"Token not provided"}
[2021-05-28 10:09:21,119] Mvc.GingerController: Unhandled exception in controller when requesting '/WebToPrint/aco/Home/OAuth2LogInCallback?returnUrl=%2FWebToPrint%2Faco&loginUrl=%2FWebToPrint%2Faco%2FHome%2FLogIn&state=b7386f22-4566-4c1e-88a2-7327810215ad&code=e71d13f3-d2aa-49e9-9492-1910ebaef12d.791750ce-4379-4d5e-8f9d-5230ec58f0f2.83ddaf2f-7047-48d6-bf0d-eec58ecc257e'
System.Net.WebException: Le serveur distant a retourné une erreur : (400) Demande incorrecte.
à System.Net.HttpWebRequest.GetResponse()
à Gmc.Fido.Web.Controllers.Http.HttpCommunicator.GetResponseStream(HttpWebRequest request, String url)
à Gmc.Fido.Web.Controllers.OAuth2.OAuth2Client.GetUserJsonData(String endpoint, String accessToken)
à Gmc.Fido.Web.Controllers.HomeController.<OAuth2LogInCallback>b__36_0(OAuthConfigurationDto configuration)
à Gmc.Ginger.Web.Mvc.SendQueryResult`1.ExecuteResult(ControllerContext context)
à System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass1c.<InvokeActionResultWithFilters>b__19()
à System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
à System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
à System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
à System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
à System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
[2021-05-28 10:09:21,124] Mvc.GingerApplication: Unexpected error.
Request URL: /WebToPrint/aco/Home/OAuth2LogInCallback?returnUrl=%2FWebToPrint%2Faco&loginUrl=%2FWebToPrint%2Faco%2FHome%2FLogIn&state=b7386f22-4566-4c1e-88a2-7327810215ad&code=e71d13f3-d2aa-49e9-9492-1910ebaef12d.791750ce-4379-4d5e-8f9d-5230ec58f0f2.83ddaf2f-7047-48d6-bf0d-eec58ecc257e
Referrer:
System.Net.WebException: Le serveur distant a retourné une erreur : (400) Demande incorrecte.
à System.Net.HttpWebRequest.GetResponse()
à Gmc.Fido.Web.Controllers.Http.HttpCommunicator.GetResponseStream(HttpWebRequest request, String url)
à Gmc.Fido.Web.Controllers.OAuth2.OAuth2Client.GetUserJsonData(String endpoint, String accessToken)
à Gmc.Fido.Web.Controllers.HomeController.<OAuth2LogInCallback>b__36_0(OAuthConfigurationDto configuration)
à Gmc.Ginger.Web.Mvc.SendQueryResult`1.ExecuteResult(ControllerContext context)
à System.Web.Mvc.ControllerActionInvoker.<>c__DisplayClass1c.<InvokeActionResultWithFilters>b__19()
à System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
à System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
à System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
à System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilter(IResultFilter filter, ResultExecutingContext preContext, Func`1 continuation)
à System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
à System.Web.Mvc.Controller.ExecuteCore()
à System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext)
à System.Web.Mvc.MvcHandler.<>c__DisplayClass6.<>c__DisplayClassb.<BeginProcessRequest>b__5()
à System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass1.<MakeVoidDelegate>b__0()
à System.Web.Mvc.MvcHandler.<>c__DisplayClasse.<EndProcessRequest>b__d()
à System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
à System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
à System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
[2021-05-28 10:09:21,125] WebSite.Global: Unhandled error, HTTP Status 500
It seems that my service sends the token of the request in parameter instead in the header.
Is there a way to make Keycloak detect the token in parameter?
Or any other way to allow my service to connect without compromising security?
Thanks in advance !
-Guieme