Hi Kaveen, Can you try the same request without sending the client_secret in the request (send only the client_id) ?
On Friday, January 18, 2019, Kaveen Rodrigo <[email protected]> wrote: > Hey all, > > I'm having some trouble getting a token with *client_credentials *grant > and mutual TLS where it fails with the error message *"**The client MUST > NOT use more than one authentication method in each" *refer request below > > curl -k -d > "grant_type=client_credentials&scope=accounts&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>" > > \ -H "Content-Type: application/x-www-form-urlencoded" > > \ --cert cert.crt --key key.key -X POST https://203.94.95.194:8243/token > > I'm using *wso2ob-km 5.7.0 (WSO2 Identity Server 5.7.0)* with OAuth logs > enabled, and I get the following output. > > TID: [-1234] [] [2019-01-18 02:51:54,108] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - Executing OAuth client authenticators. > TID: [-1234] [] [2019-01-18 02:51:54,108] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - Retrieving registered OAuth client authenticator list. > TID: [-1234] [] [2019-01-18 02:51:54,112] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - Evaluating canAuthenticate of authenticator : > PrivateKeyJWTClientAuthenticator > TID: [-1234] [] [2019-01-18 02:51:54,113] DEBUG > {org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator} > - Authenticate Requested with clientAssertionType : null*TID: [-1234] [] > [2019-01-18 02:51:54,114] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - PrivateKeyJWTClientAuthenticator authenticator cannot handle this request. > *TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - Evaluating canAuthenticate of authenticator : > BasicOAuthClientCredAuthenticator > TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} > - Basic auth credentials present as body params. Hence returning true > TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - BasicOAuthClientCredAuthenticator authenticator can handle incoming > request. > TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - Authenticator BasicOAuthClientCredAuthenticator can authenticate the > client request. Hence trying to evaluate authentication*TID: [-1234] [] > [2019-01-18 02:51:54,115] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} > - Authenticating client : <CLIENT_ID>with client secret. > *TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG > {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were > fetched from the database.*TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG > {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully > authenticated the client with client id : <CLIENT_ID> > *TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG > {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were > added to the cache for client id : <CLIENT_ID> > TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - Authentication result from OAuth client authenticator > BasicOAuthClientCredAuthenticator is : true > TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - Evaluating canAuthenticate of authenticator : PublicClientAuthenticator > TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - PublicClientAuthenticator authenticator can handle incoming request. > TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - Previously an authenticator is evaluated. Hence authenticator > PublicClientAuthenticator is not evaluating > TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - Authenticator PublicClientAuthenticator can authenticate the client > request. Hence trying to evaluate authentication*TID: [-1234] [] [2019-01-18 > 02:51:54,161] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - 2 Authenticators were executed previously. Hence failing client > authentication > TID: [-1234] [] [2019-01-18 02:51:54,161] DEBUG > {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} > - Setting error to client authentication context : Error code : > invalid_request, Error message : The client MUST NOT use more than one > authentication method in each > *TID: [-1234] [] [2019-01-18 02:51:54,184] DEBUG > {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request > received for Client ID <CLIENT_ID>, User ID null, Scope : [accounts] and > Grant Type : client_credentials > TID: [-1234] [] [2019-01-18 02:51:54,192] INFO > {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The > default OAuth token issuer will be used. No custom token generator is set. > TID: [-1234] [] [2019-01-18 02:51:54,192] INFO > {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The > default Identity OAuth token issuer will be used. No custom token generator > is set. > TID: [-1234] [] [2019-01-18 02:51:54,315] DEBUG > {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Successfully > created AppInfoCache under OAuthCacheManager > TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG > {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Triggering > access token pre issuer listeners for client: <CLIENT_ID> > TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG > {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - > OAuth-Error-Code=invalid_request > client-id=<CLIENT_ID>grant-type=client_credentials scope=accounts > TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG > {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Triggering > access token post issuer listeners for client: <CLIENT_ID> > > How can I mitigate this behavior? Disable some of the authenticators? set > priority? > Please give your input, > > Thanks In advance, > Kaveen Rodrigo > > -- > *Kaveen Rodrigo * > Software Engineer | WS02 > > Email : [email protected] > Mobile : +94779684749 > Web : http://www.wso2.com > > <http://goog_953536661> > [image: http://wso2.com/signature] <http://wso2.com/signature> > -- Farasath Ahamed Senior Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
