#8798 OIDC login against id.fedoraproject.org fails with "client authentication error"
Closed: Fixed 3 years ago by cverna. Opened 3 years ago by mkosek.

Describe what you would like us to do:

Fedora users authenticating to FreeIPA.org wiki (see "Log In" in the bottom) are recently unable to authenticate to the site.

OpenID Connect plugin reports:

Jumbojett\OpenIDConnectClientException: client authentication error in /opt/app-root/src/php/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:255
Stack trace:
#0 /opt/app-root/src/php/extensions/OpenIDConnect/src/OpenIDConnect.php(152): Jumbojett\OpenIDConnectClient->authenticate()
#1 /opt/app-root/src/php/extensions/PluggableAuth/PluggableAuthLogin.php(48): OpenIDConnect->authenticate(NULL, NULL, NULL, NULL, NULL)
#2 /opt/app-root/src/php/includes/specialpage/SpecialPage.php(565): PluggableAuthLogin->execute(NULL)
#3 /opt/app-root/src/php/includes/specialpage/SpecialPageFactory.php(568): SpecialPage->run(NULL)
#4 /opt/app-root/src/php/includes/MediaWiki.php(288): SpecialPageFactory::executePath(Object(Title), Object(RequestContext))
#5 /opt/app-root/src/php/includes/MediaWiki.php(861): MediaWiki->performRequest()
#6 /opt/app-root/src/php/includes/MediaWiki.php(524): MediaWiki->main()
#7 /opt/app-root/src/php/index.php(42): MediaWiki->run()
#8 {main}

I assume that either the OIDC_CLIENT_SECRET or OIDC_CLIENT_ID security settings for the FreeIPA.org wiki are no longer valid, or there is some other problem at Ipsilon side.

When do you need this to be done by? (YYYY/MM/DD)

The sooner the better (given that authentication is broken)...


I don't think anything should have change on our side. There is a known failure where fas chokes sending info to ipsilon, so things are 'incomplete'. This can usually be fixed by clearing cookies

Could you try that ?

Metadata Update from @cverna:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, medium-trouble

3 years ago

Thanks for suggestion, but I did try that - no luck.
The reported error is retrieved by the OIDC library from JSON coming from Ipsilon. Any chance there is some debug log available on Ipsilon side, that could give more details what "client authentication" means?

If this is about expired or wrong Client ID and Secret, I am fine changing them, if you send me new ones (my PGP public key is uploaded in FAS).

So I see in the logs for example:

[Thu Apr 02 23:40:05.671680 2020] [wsgi:error] [pid 217:tid 140300888078080] [remote 10.131.0.1:38466] [02/Apr/2020:23:40:05]  
DEBUG(providers/openidc/api.py:147 Token._authenticate_client()): openidc: Trying to authenticate client
[Thu Apr 02 23:40:05.672984 2020] [wsgi:error] [pid 217:tid 140300888078080] [remote 10.131.0.1:38466] [02/Apr/2020:23:40:05]  
DEBUG(providers/openidc/api.py:149 Token._authenticate_client()): openidc: Authorization header found
[Thu Apr 02 23:40:05.674117 2020] [wsgi:error] [pid 217:tid 140300888078080] [remote 10.131.0.1:38466] [02/Apr/2020:23:40:05]  
DEBUG(providers/openidc/api.py:152 Token._authenticate_client()): openidc: Authorization header is basic
[Thu Apr 02 23:40:05.675335 2020] [wsgi:error] [pid 217:tid 140300888078080] [remote 10.131.0.1:38466] [02/Apr/2020:23:40:05]  
DEBUG(providers/openidc/api.py:161 Token._authenticate_client()): openidc: Client ID: b'freeipawiki'
[Thu Apr 02 23:40:05.677013 2020] [wsgi:error] [pid 217:tid 140300888078080] [remote 10.131.0.1:38466] [02/Apr/2020:23:40:05]  
DEBUG(providers/openidc/api.py:105 Token._handle_client_authentication()): openidc: Trying client auth for b'freeipawiki' with 
method client_secret_basic
[Thu Apr 02 23:40:05.680350 2020] [wsgi:error] [pid 217:tid 140300888078080] [remote 10.131.0.1:38466] [02/Apr/2020:23:40:05]  
DEBUG(ipsilon/util/data.py:392 FileQuery.select()): SELECT(client, {'name': 'freeipawiki'}, None) -> [['freeipawiki', 'client_i
d', 'null'], ['freeipawiki', 'client_secret', '"I removed this - kevin"], ['freeipaw
iki', 'client_name', '"FreeIPA.org wiki"'], ['freeipawiki', 'redirect_uris', '["https://www.freeipa.org/page/Special:PluggableA
uthLogin"]'], ['freeipawiki', 'application_type', '"web"'], ['freeipawiki', 'client_uri', '"https://www.freeipa.org/"'], ['free
ipawiki', 'contacts', '["mkosek@redhat.com"]'], ['freeipawiki', 'logo_uri', '"https://www.freeipa.org/images/freeipa/freeipa-lo
go-small.png"'], ['freeipawiki', 'policy_uri', '"https://www.freeipa.org/page/FreeIPA:Privacy_policy"'], ['freeipawiki', 'tos_u
ri', '"https://www.freeipa.org/page/FreeIPA:About"'], ['freeipawiki', 'jwks_uri', 'null'], ['freeipawiki', 'jwks', 'null'], ['f
reeipawiki', 'sector_identifier_uri', 'null'], ['freeipawiki', 'subject_type', '"public"'], ['freeipawiki', 'response_types', '
"code"'], ['freeipawiki', 'grant_types', '"authorization_code"'], ['freeipawiki', 'request_uris', '[]'], ['freeipawiki', 'requi
re_auth_time', 'null'], ['freeipawiki', 'token_endpoint_auth_method', '"client_secret_post"'], ['freeipawiki', 'id_token_signed
_response_alg', '"RS256"'], ['freeipawiki', 'request_object_signing_alg', '"none"'], ['freeipawiki', 'initiate_login_uri', 'nul
l'], ['freeipawiki', 'default_max_age', 'null'], ['freeipawiki', 'default_acr_values', 'null'], ['freeipawiki', 'client_secret_
expires_at', '0'], ['freeipawiki', 'ipsilon_internal', '{"type":"static","client_id":"freeipawiki","trusted":false}']]
[Thu Apr 02 23:40:05.680649 2020] [wsgi:error] [pid 217:tid 140300888078080] [remote 10.131.0.1:38466] [02/Apr/2020:23:40:05]  
ERROR: Client authentication with invalid auth method: client_secret_basic
[Thu Apr 02 23:40:05.682458 2020] [wsgi:error] [pid 217:tid 140300888078080] [remote 10.131.0.1:38466] [02/Apr/2020:23:40:05]  
DEBUG(providers/openidc/api.py:19 APIError.__init__()): OpenIDC API error: invalid_client, desc: client authentication error
[Thu Apr 02 23:40:05.691871 2020] [wsgi:error] [pid 217:tid 140300888078080] [remote 10.131.0.1:38466] 3.219.28.197 - - [02/Apr
/2020:23:40:05] "POST /openidc/Token HTTP/1.1" 400 513 "" ""

I don't think clientid/secret expire and we haven't changed anything on our end. Has anything changed with the wiki there?

I did update OIDC plugin on the site, but that was after the failures started - in a hope that the plugin may have just been outdated.

Looking in the logs (and Ipsilon source code and Wiki OIDC plugin source code), here is what we could try - can you please try to switch the authentication method (token_endpoint_auth_method) for FreeIPA.org wiki from client_secret_post to client_secret_basic? I am not sure if that is possible, but basic authentication is what the client is sending.

Ipsilon was apparently able to parse that (Client ID: b'freeipawiki'), but authentication was later interrupted with checking authentication method of client in the database.

ok. I changed that, can you try again now?

The login now worked for me, thank you!

I still wonder what have changed on either of our sides, but seeing Ipsilon log helped to narrow down the root cause.

Metadata Update from @cverna:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata