Invalid Request errors during callback

Hello! We’re in the process of rolling out Hydra to millions of users but stuck on some invalid_request errors during the callback to one of our clients.

We understand that these are expected from time to time, browser shenanigans and what not, but we’re seeing an alarming amount of them and can’t determine why.

The requests contain this error_description:

The request is missing a required parameter, includes an invalid parameter
value, includes a parameter more than once, or is otherwise malformed

Make sure that the various parameters are correct, be aware of case sensitivity
and trim your parameters. Make sure that the client you are using has exactly
whitelisted the redirect_uri you specified.

And this error_hint:

Make sure that the various parameters are correct, be aware of case sensitivity
and trim your parameters. Make sure that the client you are using has exactly
whitelisted the redirect_uri you specified.

Could these be related to us not passing an id_token_hint in the authorization request when using prompt=none? (I would expect error=require_login in this case)

Is there somewhere we can see all possible scenarios where this error would be returned? We can’t find anything in the Hydra logs that could seemingly be related to these error responses. It doesn’t help we can’t see any details about the authorization request either.

Any help would be greatly appreciated!

Hm could you maybe share full info on the initial OAuth2 URL, the full client JSON, the version, etc? That would be helpful! For more info on debugging: https://www.ory.sh/hydra/docs/debug

Thanks for getting back to me, here’s the full authorization response:

HTTP/1.1 302 Found
Location: https://www.redacted.com/idp/auth?error=invalid_request
    &error_description=The%20request%20is%20missing%20a%20required%20parameter%2C%20includes%20an%20invalid%20parameter%20value%2C%20includes%20a%20parameter%20more%20than%20once%2C%20or%20is%20otherwise%20malformed%0A%0AMake%20sure%20that%20the%20various%20parameters%20are%20correct%2C%20be%20aware%20of%20case%20sensitivity%20and%20trim%20your%20parameters.%20Make%20sure%20that%20the%20client%20you%20are%20using%20has%20exactly%20whitelisted%20the%20redirect_uri%20you%20specified.
    &error_hint=Make%20sure%20that%20the%20various%20parameters%20are%20correct%2C%20be%20aware%20of%20case%20sensitivity%20and%20trim%20your%20pa...

We’re using version 1.8.5 and here’s our client JSON:

{
        "client_id": "56123546-7e5d-4b29-b2c4-e02dad8l9f07",
        "client_name": "Redacted",
        "client_uri": "https://redacted.com/",
        "created_at": "2020-06-09T21:54:04.000Z",
        "grant_types": [
                "authorization_code",
                "refresh_token"
        ],
        "jwks": {},
        "post_logout_redirect_uris": [
                "https://www.redacted.com/"
        ],
        "redirect_uris": [
                "https://www.redacted.com/idp/auth"
        ],
        "response_types": [
                "code",
                "id_token"
        ],
        "scope": "openid offline",
        "subject_type": "public",
        "token_endpoint_auth_method": "client_secret_basic",
        "updated_at": "2020-06-09T21:54:04.000Z",
        "userinfo_signed_response_alg": "none"

How can I get details about the original authorization request triggering this error?

I would expect Hydra to divulge some sort of information in its logs regarding this error (and some details about the original request), but after enabling LOG_LEAK_SENSITIVE_VALUES=true and LOG_LEVEL=debug I’m seeing no relevant information that correlates to these errors.

We have millions of users succesfully completing OAuth 2 flows in a variety of clients (few web applications and a couple mobile applications) so I know we’re able to complete OAuth 2 flows, our mobile apps are able to refresh tokens, etc… but we’re seeing thousands of these per day.

Is it safe to initiate a new OAuth 2 request (without prompt=none of course) when this occurs? Currently we just present the user with a user-friendly error message.

Let me know if I can provide any other information and thanks again!

Can you please show the initial request? It is the one which is https://hydra/oauth2/auth?.... Than you!

Is it safe to initiate a new OAuth 2 request (without prompt=none of course) when this occurs? Currently we just present the user with a user-friendly error message.

Yes it typically is!

I would expect Hydra to divulge some sort of information in its logs regarding this error (and some details about the original request), but after enabling LOG_LEAK_SENSITIVE_VALUES=true and LOG_LEVEL=debug I’m seeing no relevant information that correlates to these errors.

ORY Hydra v1.9 improves all of this error handling and logging and exposes more information to the outside world! It is not a stable release yet though!

How can I identify which authorization request triggered the authorization response when there is no additional information aside from an error, error_description, and error_debug?

For the time being, we’ve changed our callback endpoint to restart an OAuth flow (without prompt=none) if any error is present in the authorization response.

Oh I see you didn’t initialize the request! Depending on the error flow it could be possible to trace it by enabling jaeger tracing! Otherwise we could try and improve tracing so it becomes easier to debug!

Oh and you should definitely upgrade to 1.8 because it greatly improves the tracing with request params etc

We’re on 1.8.5 FWIW, I’ll look into jaeger tracing.

Oh I see - strange - I thought this should add some more info to the logs! Can you check the logs?