Invalid identity: NotAuthenticated using Authorisation Code Grant

[TimoKramer]

Hi,

I tried to understand how I need to authenticate to /oauth2/authorise on Kanidm. Here is some logging regarding the request:

Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 INFO     handle_request [ 269µs | 0.00% / 100.00% ]
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 INFO     ┕━ request [ 269µs |
8.60% / 100.00% ] method: POST | uri: /oauth2/authorise | version: HTTP/1.1
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 DEBUG       ┝━ 🐛 [debug]: started processing request
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 DEBUG       ┝━ kopid_middleware [ 245µs | 57.47% / 91.40% ]
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 DEBUG       │  ┝━ from_request_parts [ 3.90µs | 1.45% ] parts: Parts { method: POST, uri: /oauth2/authorise, version: HTTP/1.1, headers: {"host": "<REDACTED>", "user-agent": "Java-http-client/21.0.2", "content-length": "554", "accept": "application/json", "accept-encoding": "gzip, deflate", "content-type": "application/json", "x-forwarded-for": "91.65.28.207", "x-forwarded-host": "<REDACTED>", "x-forwarded-port": "443", "x-forwarded-proto": "https", "x-forwarded-server": "cccbbdfd5344", "x-real-ip": "91.65.28.207"} }
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 DEBUG       │  ┕━ oauth2_authorise_post [ 87.2µs | 3.87% / 32.48% ] client_auth_info: ClientAuthInfo { source: Https(::ffff:172.18.0.2), client_cert: None, bearer_token: None } | auth_req: AuthorisationRequest { response_type: "code", client_id:
"portal", state: "aMAoGgH9czBe", pkce_request: None, redirect_uri: Url { scheme: "https", cannot_be_a_base:
false, username: "", password: None, host: Some(Domain("ynbncwxeik3zx4o6.l.tunwg.com")), port: None, path: "/redirect", query: None, fragment: None }, scope: "access", nonce: None, oidc_ext: AuthorisationRequestOidc
{ display: None, prompt: None, max_age: None, ui_locales: None, claims_locales: None, id_token_hint: None, login_hint: None, acr: None }, unknown_keys: {"code": String("gAAAAABl8CPu7KL2-SVSC21AmRM3oLLucHzs7-MDSB7ps_UXsFnf8-upGR24acTUVTLiy9JAoKlG0OMKuU2_m9Y1AheYbHfhzllvgFRPg56vSMBK6geCzu3MzOvikQhcFz6bQ_gnBAN8r_T0Zk44nBMVmSRdIT2yJELHxbwWPS6OPyoKThT2eGz3t3z8RzYZqMCHtrQkZiruta5K-QYu0w6vUtiAIIFppxrzoNM0CQdlpUYvKJ6bMWuh7yqlFnI8VOpvs3yVi2P28TRfBLTAy81SRgI69XmNShK26_fuWkEsiGt2gE1NQW4VZqApKUooEg7Yg5bG-DzC32qM_Sph5OkvU7x76jQDIplCDWEesBWsWNpecJKpJzfQPnKtR8oT6R6s4GJOH9xx")} }
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 INFO        │     ┕━ handle_oauth2_authorise [ 76.8µs | 12.44% / 28.60% ]
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 DEBUG       │        ┝━ proxy_read [ 28.7µs | 10.69% ]
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 INFO        │        ┝━ validate_client_auth_info_to_ident [ 14.7µs | 5.47% ]
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 WARN        │        │  ┕━ 🚧
[warn]: No client certificate or bearer tokens were supplied
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 ERROR       │        ┕━ 🚨 [error]: Invalid identity: NotAuthenticated | event_tag_id: 1
Mar 12 09:44:15 auth-dev docker[189554]: e9851f09-97cf-4139-bf3c-801afc5457f6 WARN        ┕━ 🚧 [warn]:  | latency: 925.418µs | status_code: 401 | kopid: "e9851f09-97cf-4139-bf3c-801afc5457f6" | msg: "client error"

As I am understanding I am in the step that RFC6749 calls "Access Token Request".
I do not want to use OIDC just oauth2 and currently I disabled pkce but will take care of that next. I am seeing that it says unknown_keys: "code", but the RFC says this is required. Why does the /oauth2/authorise-endpoint require json body and not form-urlencoded like in the RFC?

What am I doing wrong? How do I authenticate with the /oauth2/authorise-endpoint? Where can I find documentation on that endpoint?

[Firstyear]

The oauth2 rfc is generally very confusing.

The /oauth2/authorise endpoint corresponds to https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 which allows query components and a separate rfc allows posting with json.

However https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3 corresponds to /oauth2/token which accepts the form encoded post per the rfc.

So we need to see more about how your flow is currently working.

[TimoKramer]

I will try to follow the section 4.1.3 that you linked tomorrow morning. I will try to dump the requests that are incoming and outgoing here. What else would you need?

[Firstyear]

What is your code doing? Like what order are you actually calling the api end points in and from where?

[TimoKramer]

/oauth2/token is exactly what I needed. Thank you!

[Firstyear]

For future reference, all the api end points are documented here https://kanidm.github.io/kanidm/stable/integrations/oauth2.html