Oidcc.create_redirect_url/4 returning "invalid_request" "Authentication failed."

[GPrimola]

oidcc version

3.0

Erlang version

27.1

Elixir version

1.17.3-otp-27

Summary

After creating a realm and a client, I keep getting

{:error,
 {:http_error, 401,
  %{
    "error" => "invalid_request",
    "error_description" => "Authentication failed."
  }}}

when running Oidcc.create_redirect_url(MyApp.OpenIdConfigurationProvider, "test1", client_secret, %{redirect_uri: "http://localhost:8080/oidc/callback"}).

The openid-configuration is being retrieved successfully.

OpenId Provider: Keycloak 22.0.5

Current behavior

Calling Oidcc.create_redirect_url/4 with a valid client yields:

{:error,
 {:http_error, 401,
  %{
    "error" => "invalid_request",
    "error_description" => "Authentication failed."
  }}}

How to reproduce

On Keycloak 22.0.5

1. Create a realm
2. Create a client with:
   • Client Authentication: On
   • Authorization: On
   • Authentication Flow: Standard, Implicit and Direct access grants (all checked)
3. Call Oidcc.create_redirect_url/4 with the client created will yield:

{:error,
 {:http_error, 401,
  %{
    "error" => "invalid_request",
    "error_description" => "Authentication failed."
  }}}

Expected behavior

Calling Oidcc.create_redirect_url/4 with a valid client:

{:ok, redirect_url} = Oidcc.create_redirect_url(MyApp.OpenIdConfigurationProvider, "test1", client_secret, %{redirect_uri: "http://localhost:8080/oidc/callback"})

[maennchen]

@GPrimola Thanks for the report.

Can you please put the full oidcc version into the description? THis makes it simpler to find the issue.

Given the specific error / location, I believe that this is happening when attempting to execute PAR

It looks like Keycloak is responding with 401 on that PAR request. That hints, that you have either provided the wrong credentials or configured something else wrong in Keycloak / oidcc.

oidcc supports the following auth methods for requests to the provider (ordered by priority):

• private_key_jwt - you would have to configure this, so not relevant here
• tls_client_auth - you would have to configure this, so not relevant here
• client_secret_jwt - depends on the provided client credentials; most likely used
• client_secret_post - depends on the provided client credentials
• client_secret_basic - depends on the provided client credentials
• none - If nothing else is available

If the error was a different 4XX error like Bad Reuest (400), it would be likely that this is a bug. A 401 however hints at a configuration error like an invalid client secret.

One issue I've seen with multiple identity providers is incorrect encoding of the client secret. Can you check if your secret contains special characters like / or spaces?