[Dev] Authenticating with client_credentials grant failing with due to the use of multiple authenticator execution

Kaveen Rodrigo Fri, 18 Jan 2019 02:35:43 -0800

Hey all,

I'm having some trouble getting a token with *client_credentials *grant and
mutual TLS where it fails with the error message *"**The client MUST NOT
use more than one authentication method in each" *refer request below


curl -k -d 
"grant_type=client_credentials&scope=accounts&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>"

    \ -H "Content-Type: application/x-www-form-urlencoded"

     \ --cert cert.crt --key key.key -X POST https://203.94.95.194:8243/token

I'm using *wso2ob-km 5.7.0 (WSO2 Identity Server 5.7.0)* with OAuth logs
enabled, and I get the following output.

TID: [-1234] [] [2019-01-18 02:51:54,108] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  Executing OAuth client authenticators.
TID: [-1234] [] [2019-01-18 02:51:54,108] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  Retrieving registered OAuth client authenticator list.
TID: [-1234] [] [2019-01-18 02:51:54,112] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  Evaluating canAuthenticate of authenticator :
PrivateKeyJWTClientAuthenticator
TID: [-1234] [] [2019-01-18 02:51:54,113] DEBUG
{org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator}
-  Authenticate Requested with clientAssertionType : null*TID: [-1234]
[] [2019-01-18 02:51:54,114] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  PrivateKeyJWTClientAuthenticator authenticator cannot handle this
request.
*TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  Evaluating canAuthenticate of authenticator :
BasicOAuthClientCredAuthenticator
TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator}
-  Basic auth credentials present as body params. Hence returning true
TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  BasicOAuthClientCredAuthenticator authenticator can handle incoming
request.
TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  Authenticator BasicOAuthClientCredAuthenticator can authenticate
the client request.  Hence trying to evaluate authentication*TID:
[-1234] [] [2019-01-18 02:51:54,115] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator}
-  Authenticating client : <CLIENT_ID>with client secret.
*TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Client
credentials were fetched from the database.*TID: [-1234] []
[2019-01-18 02:51:54,139] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Successfully
authenticated the client with client id : <CLIENT_ID>
*TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG
{org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Client
credentials were added to the cache for client id : <CLIENT_ID>
TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  Authentication result from OAuth client authenticator
BasicOAuthClientCredAuthenticator is : true
TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  Evaluating canAuthenticate of authenticator :
PublicClientAuthenticator
TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  PublicClientAuthenticator authenticator can handle incoming
request.
TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  Previously an authenticator is evaluated. Hence authenticator
PublicClientAuthenticator is not evaluating
TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  Authenticator PublicClientAuthenticator can authenticate the client
request.  Hence trying to evaluate authentication*TID: [-1234] []
[2019-01-18 02:51:54,161] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  2 Authenticators were executed previously. Hence failing client
authentication
TID: [-1234] [] [2019-01-18 02:51:54,161] DEBUG
{org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService}
-  Setting error to client authentication context : Error code :
invalid_request, Error message : The client MUST NOT use more than one
authentication method in each
*TID: [-1234] [] [2019-01-18 02:51:54,184] DEBUG
{org.wso2.carbon.identity.oauth2.OAuth2Service} -  Access Token
request received for Client ID <CLIENT_ID>, User ID null, Scope :
[accounts] and Grant Type : client_credentials
TID: [-1234] [] [2019-01-18 02:51:54,192]  INFO
{org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} -
The default OAuth token issuer will be used. No custom token generator
is set.
TID: [-1234] [] [2019-01-18 02:51:54,192]  INFO
{org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} -
The default Identity OAuth token issuer will be used. No custom token
generator is set.
TID: [-1234] [] [2019-01-18 02:51:54,315] DEBUG
{org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -
Successfully created AppInfoCache under OAuthCacheManager
TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG
{org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -
Triggering access token pre issuer listeners for client: <CLIENT_ID>
TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG
{org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -
OAuth-Error-Code=invalid_request
client-id=<CLIENT_ID>grant-type=client_credentials scope=accounts
TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG
{org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -
Triggering access token post issuer listeners for client: <CLIENT_ID>

How can I mitigate this behavior? Disable some of the authenticators? set
priority?
Please give your input,

Thanks In advance,
Kaveen Rodrigo

-- 
*Kaveen Rodrigo *
Software Engineer | WS02

Email : [email protected]
Mobile : +94779684749
Web : http://www.wso2.com

<http://goog_953536661>
[image: http://wso2.com/signature] <http://wso2.com/signature>

_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Authenticating with client_credentials grant failing with due to the use of multiple authenticator execution

Reply via email to