Comments (8)
thomasbach-dk
commented on August 16, 2024
2
It works disabling PAR by setting DisablePushedAuthorization to true.
And you are right - we´re running KeyCloak version 22.0.5 and will look into an update.
Thanks for rapid response @josephdecock
from identitymodel.oidcclient.
Euclidite
commented on August 16, 2024
1
I'm seeing the same issue on my end - v5.2.1 I was able to successfully kick of authentication with Okta, and now with v6.0.0 LoginAsync throws the error Unauthorized - Failed to push authorization parameters
from identitymodel.oidcclient.
josephdecock
commented on August 16, 2024
1
@Euclidite - you can actually add additional base URLs as valid for the other endpoints in the discovery policy.
from identitymodel.oidcclient.
josephdecock
commented on August 16, 2024
Hi folks - new in v6 we added support for pushed authorization, and we enable it by default when discovery indicates that it is supported by the identity provider. You can disable pushed authorization with the DisablePushedAuthorization flag on OidcClientOptions. We need to do some more investigating to understand why pushed authorization is failing, but as a first step, can you try flipping that flag please?
from identitymodel.oidcclient.
josephdecock
commented on August 16, 2024
Oh, and I should say that no, the default grant type didn't change. It looks like the error in both cases is the same. @Euclidite - is your client a public client too (we can see that @thomasbach-dk's client is, because there is no client authentication (no secret or assertion))?
from identitymodel.oidcclient.
josephdecock
commented on August 16, 2024
@thomasbach-dk - I'm looking at keycloak/keycloak#8939 and apparently older builds of keycloak didn't allow public clients to use PAR, but newer builds do. Check to see what version of keycloak you're using- if you're pre 23.0.0 then either update it or disable PAR in the IdentityModel options.
from identitymodel.oidcclient.
josephdecock
commented on August 16, 2024
@Euclidite - do you know if okta prevents public clients from pushing authorization?
from identitymodel.oidcclient.
Euclidite
commented on August 16, 2024
Thanks for the quick response @josephdecock ! I tested with PAT disabled and the request worked:
var options = new OidcClientOptions
{
Authority = "https://dev-123456.okta.com/oauth2/default",
ClientId = clientId,
Scope = "openid profile offline_access",
RedirectUri = "http://127.0.0.1/okta-sign-in-success",
Browser = authWindow,
DisablePushedAuthorization = true,
Policy = new Policy
{
RequireIdentityTokenSignature = false,
Discovery = new DiscoveryPolicy
{
// https://devforum.okta.com/t/error-loading-discovery-document-endpoint-belongs-to-different-authority/6582
EndpointValidationExcludeList = ["registration_endpoint"]
}
}
};As for Okta & PAR - it looks like it supports it, but my feeling is that because of how Okta expects URLs to be built (https://developer.okta.com/docs/reference/api/oidc/#par) this may not work out of the box - it's the same reason I had to exclude validation of the registration endpoint - it looks like Okta responds with just the base URL and the client throws an error Message = "Error loading discovery document: Invalid base address for endpoint https://dev-123456.okta.com/oauth2/v1/clients. Valid base addresses: https://dev-123456.okta.com/oauth2/default.".
For context, in Okta I'm using a custom authorization within my Okta domain to allow creation of custom claims for my application.
from identitymodel.oidcclient.
Related Issues (20)
- Getting StackOverflowException at JsonDocument.Parse(content!).RootElement HOT 4
- Discovery Document Request does not use Discovery Policy Authority for Request Address
- PAR support
- Make Client Assertions more extensible
- Investigate private network access spec
- StepUp Auth, Claim and FrontChannelExtraParameters
- Blazor Assembly supports?
- Is the accesstoken in the JWT format
- Problem with redirection on WinUI
- Not passing StartUrl to Browser in .net-ios HOT 3
- OidcClient.LoginAsync fails with 'Failed to push authorization parameters' after upgrade to 6.0.0 HOT 3
- Only first login works, when launching app again, it doesnt
- Optimize Token Refresh Synchronization in RefreshTokenDelegatingHandler to Reduce Unnecessary Lock Contention HOT 3
- Cannot separate user cancel from Logout done in oidcclient logout async
- Confusing "state" query parameter causes bad request on Keycloak
- CreateEndSessionUrl extra parameters? HOT 2
- VULNERABILITY: CVE-2024-30105 - System.Text.Json (>=7.0.0 <=8.0.3) HOT 1
- Improve PAR failure error handling
- Authentication popup - language
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identitymodel.oidcclient.