0

I'm pretty new to implementing authentication/authorization in my applications, so I might be missing something obvious here.

I am using Angular and oidc-client.js to communicate with my STS (IdentityServer4), and I'm setting up my angular app to log in through the Identity server, then redirect back to my client website. However I am stuck on how to send the client secret defined in my IS4 server from the client when trying to log in. I am getting an error including the following log output:

"Name": "Client Authentication Failure", "EventType": "Failure", "Id": 1011, "Message": "Invalid client secret"

I am defining my UserManager as follows:

constructor() {
    const stsSettings = {
      authority: Constants.stsAuthority,
      client_id: Constants.clientId,
      redirect_uri: `${Constants.clientRoot}signin-callback`,
      scope: 'openid profile myApi',
      response_type: 'code',
      post_logout_redirect_uri: `${Constants.clientRoot}signout-callback`
    };
    this.userManager = new UserManager(stsSettings);
  }

According to the documentation here there is no configuration for adding a client secret. Am I missing something here?

My Client is defined as follows in IdentityServer:

new Client
{
    ClientId = "interactive",
    ClientSecrets = { new Secret("secret".Sha256()) },

    AllowedGrantTypes = GrantTypes.Code,

    RedirectUris = { "https://localhost:44300/signin-oidc" , "https://localhost:5001/signin-callback"},
    FrontChannelLogoutUri = "https://localhost:44300/signout-oidc",
    PostLogoutRedirectUris = { "https://localhost:44300/signout-callback-oidc", "https://localhost:5001/signout-callback" },

    AllowOfflineAccess = true,
    AllowedScopes = { "openid", "profile", "myApi" }
}

EDIT

I have tried passing the sha256 of "secret" (2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b) in angular both through the variable client_secret: 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b and as a member of extraQueryParams: { client_secret: "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b" }. Neither of these scenarios are working for me.

DJBrunelle
  • 25
  • 7
  • Is your IDP client configured correctly to have implict flow? are you able to redirect to IDP page ? I think that is the issue. Remove the configuration of `ClientSecrets = { new Secret("secret".Sha256()) },` for more details have a look here: https://www.scottbrady91.com/Angular/Migrating-oidc-client-js-to-use-the-OpenID-Connect-Authorization-Code-Flow-and-PKCE – Sohan Jan 20 '21 at 10:19

1 Answers1

-1

I believe that so far your configuration is correct but you missed to pass client_secret parameter.

constructor() {
    const stsSettings = {
      authority: Constants.stsAuthority,
      client_id: Constants.clientId,
      client_secret: 'Your Secret',
      redirect_uri: `${Constants.clientRoot}signin-callback`,
      scope: 'openid profile myApi',
      response_type: 'code',
      post_logout_redirect_uri: `${Constants.clientRoot}signout-callback`
    };
    this.userManager = new UserManager(stsSettings);
  }

Note: Please keep in mind that you need to pass the client_secret parameter's value as a hashed secret (don't pass plain text secret otherwise it will fail), you can find hashed value in your ID4 database.

Mahesh More
  • 821
  • 1
  • 8
  • 23
  • I've attempted adding that parameter, however no luck. It's also not defined anywhere in the documentation which is part of what's confusing me. I've edited my question a bit with more information at the end. – DJBrunelle Jan 19 '21 at 18:38