CODEWITHSUNDEEP
asp.net-coreoauth-2.0openiddictidp
u81494
u81494

Reputation: 1

OpenIddict: Token endpoint 403 error when using external OAuth2 IdP

I'm trying to configure OpenIddict v5.8.0 to work with an external OAuth2 Identity Provider (IdP) using authorization code flow. I'm using the OpenIddict.Sandbox.AspNetCore.Server project as a starting point.

The config part added for external IdP looks like this:

.AddClient(options => {
    options.AllowAuthorizationCodeFlow();
    options.AddDevelopmentEncryptionCertificate()
            .AddDevelopmentSigningCertificate();
    options.UseAspNetCore()
            .EnableStatusCodePagesIntegration()
            .EnableRedirectionEndpointPassthrough();
    options.UseSystemNetHttp()
            .SetProductInformation(typeof(Startup).Assembly);
    options
        .AddRegistration(
            new OpenIddictClientRegistration()
            {
                ProviderName = "ExtIdP",
                ProviderDisplayName = "External OAuth2 Identity Provider",

                Issuer = new Uri("https://abc.extidp.com/", UriKind.Absolute),
                ClientId = "1b4db7eb-4057-5ddf-91e0-36dec72071f5",
                ClientSecret = "c91ccbab-b2f0-11ef-8000-38c118d365bb",

                RedirectUri = new Uri("https://localhost:44395/callback/login/extidp", UriKind.Absolute),

                Scopes = { "CUSTOMSCOPE" },
                
                Configuration = new OpenIddictConfiguration
                {
                    AuthorizationEndpoint = new Uri("https://abc.extidp.com/oauth2/code/authorize/"),
                    TokenEndpoint = new Uri("https://abc.extidp.com/oauth2/code/token/"),
                    ResponseTypesSupported = { ResponseTypes.Code },
                    GrantTypesSupported = { GrantTypes.AuthorizationCode }
                },                         
            });

})

When I try to login via the external IdP using the built-in UI, the initial steps seem to work correctly. However, the token endpoint returns a 403 status code without details.

Using Postman and the same config with oauth2, authorization code grant type, works without problems.

Does anyone have any insights into why this problem might be occurring? Are there any specific config. settings or troubleshooting steps I should consider?

Upvotes: 0

Views: 52

Answers (1)

u81494
u81494

Reputation: 1

Requests for token endpoint generated by OpenIddict client differ from those created by Postman. For instance, OpenIddict client includes Accept-Charset: utf-8 header.

In some cases, that particular header might cause the problem. WAF in front of certain identity providers might not expect it, which leads to forbidden requests.

One way to fix it, is to configure OpenIddict client to skip that particular header:

options
    .AddEventHandler<OpenIddictClientEvents.PrepareTokenRequestContext>(builder =>
        builder.UseInlineHandler(context => {
            HttpRequestMessage? r = context.Transaction.GetHttpRequestMessage();
            r?.Headers.Remove("Accept-Charset");
            return default;
        }));

Upvotes: 0

Related Questions