Invalid token provided in oidc-provider accessing UserInfo enpoint

Question

I started using OAuth2 server with oidc in node js. Github link

My goal is simple, to access https://myserver/me which is UserInfo endpoint.

While trying to learn how to use the server I also used this guide enter link description here Where I found that I could create token by sending request to endpoint /token.

Into the configuration I added this code(full server code is below):

{
    client_id: 'test_oauth_app',
    client_secret: 'super_secret',
    grant_types: ['client_credentials'],
    redirect_uris: [],
    response_types: [],
}

In postman I was able to get my the access_token by this request

POST /token
Headers:
Content-Type: application/x-www-form-urlencoded
Authorization: Basic dGVzdF9vYXV0aF9hcHA6c3VwZXJfc2VjcmV0
Body:
grant_type=client_credentials&scopes=api1 

I get this as a response:

{
    "access_token": "zdjmZo7_BQSIl4iK9IMcBbKffxGO-wQ3jLzzQXTlyws",
    "expires_in": 600,
    "token_type": "Bearer"
}

When I checked the token by /token/introspection I found out that the token equals to jti. So I think it actually returns token_id and by that I cannot access /me endpoint.

Here is the whole sample of server that I use:

const { Provider } = require('oidc-provider');
const configuration = {
        features: {
                introspection: { enabled: true },
                clientCredentials: { enabled: true },
                userinfo: { enabled: true },
                jwtUserinfo: { enabled: true },
        },
        formats: {
            AccessToken: 'jwt',
        },
        clients: [{
            client_id: 'test_oauth_app',
            client_secret: 'super_secret',
            grant_types: ['client_credentials'],
            redirect_uris: [],
            response_types: []
        }],
        scopes: ['api1']
};

const oidc = new Provider('http://localhost:3000', configuration);
oidc.proxy = true

// express/nodejs style application callback (req, res, next) for use with express apps, see /examples/express.js
oidc.callback

// koa application for use with koa apps, see /examples/koa.js
oidc.app

// or just expose a server standalone, see /examples/standalone.js
const server = oidc.listen(3000, () => {
  console.log('oidc-provider listening on port 3000, check https://localhost:3000/.well-known/openid-configuration');
});

The proxy is set to true because I have https set up on apache redirecting to this server.

I tried to change response_types, but than it required redirect_uri which I do not want to have in my scenario.

Here is the request I am trying to post it like so:

POST /me
Headers:
Content-Type: application/json
Authorization: Bearer zdjmZo7_BQSIl4iK9IMcBbKffxGO-wQ3jLzzQXTlyws

The response:

{
    "error": "invalid_token",
    "error_description": "invalid token provided"
}

Did anyone have a similar problem? I found almost the same problem here but with no solution, unfortunately.

Answer 1

In case someone encounters the same problem. I was able to solve it.

I did not have enough information and I did not know what client_credentials grant type does.

It actually does not authorize the user, but rather some app. So you have no info about the user, hence you cannot get data about the user through the userinfo endpoint.

So if you want to get info about the user, you probably want to use grant type authorization_code.

I found a page where a lot of things is written pretty clearly, so if you are starting with OAuth server you might want to give this a try. https://oauth2.thephpleague.com/authorization-server/auth-code-grant/