Missing id_token from /oauth2/token response


#1

Hello, I’m performing request:

$ curl -X POST https://auth.localhost/oauth2/token -H 'Accept: application/json' -vk --data "client_id=keys-client-p&client_secret=keys-secret-p&grant_type=authorization_code&code=agtdx0UH
768Ka-OgN0HPV_mkgWDt5UcRv2VPSyFZao8.X9kYJ_gBfk87xyCClJYbgl6MNE7by9kw6fLQ-cWzRgQ&redirect_uri=https://keys.auth.localhost/oidc/auth/cb/"                                                                                    

*   Trying 127.0.0.1...                                                                                                                                                                                                    
* TCP_NODELAY set                                                                                                                                                                                                          
* Connected to auth.localhost (127.0.0.1) port 443 (#0)                                                                                                                                                                    
* ALPN, offering h2                                                                                                                                                                                                        
* ALPN, offering http/1.1                                                                                                                                                                                                  
* successfully set certificate verify locations:                                                                                                                                                                           
*   CAfile: /etc/ssl/certs/ca-certificates.crt                                                                                                                                                                             
  CApath: /etc/ssl/certs                                                                                                                                                                                                   
* TLSv1.2 (OUT), TLS handshake, Client hello (1):                                                                                                                                                                          
* TLSv1.2 (IN), TLS handshake, Server hello (2):                                                                                                                                                                           
* TLSv1.2 (IN), TLS handshake, Certificate (11):                                                                                                                                                                           
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):                                                                                                                                                                   
* TLSv1.2 (IN), TLS handshake, Server finished (14):                                                                                                                                                                       
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):                                                                                                                                                                  
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):                                                                                                                                                                      
* TLSv1.2 (OUT), TLS handshake, Finished (20):                                                                                                                                                                             
* TLSv1.2 (IN), TLS handshake, Finished (20):                                                                                                                                                                              
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384                                                                                                                                                               
* ALPN, server did not agree to a protocol                                                                                                                                                                                 
* Server certificate:                                                                                                                                                                                                      
*  subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd                                                                                                                                                                
*  start date: Feb  1 11:06:58 2019 GMT                                                                                                                                                                                    
*  expire date: Feb  1 11:06:58 2020 GMT                                                                                                                                                                                   
*  issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd                                                                                                                                                                 
*  SSL certificate verify result: self signed certificate (18), continuing anyway.                                                                                                                                         
> POST /oauth2/token HTTP/1.1                                                                                                                                                                                              
> Host: auth.localhost                                                                
> User-Agent: curl/7.58.0                                                                
> Accept: application/json                                                            
> Content-Length: 229                                                                    
> Content-Type: application/x-www-form-urlencoded                                      
>                                                                                      
* upload completely sent off: 229 out of 229 bytes                                                                                                                                                                         
< HTTP/1.1 200 OK                                                                        
< Cache-Control: no-store                                                                                                                                                                                                  
< Content-Type: application/json;charset=UTF-8                                                                     
< Pragma: no-cache                                                                     
< Date: Fri, 01 Feb 2019 14:14:34 GMT                                                
< Content-Length: 157                                                                                                                                                                                                      
<                                                                                                                                                                                                           
* Connection #0 to host auth.localhost left intact                                      
{"access_token":"ckAgadiNu8evHO9bUsGtr9IDVm7XsEh4ACwjjXo6X2c.ZWQql-QmsCW7rHceYmh2m6bRcVMe-Q_NNSp53nJqGn8","expires_in":3599,"scope":"","token_type":"bearer"}

I cannot understand, why id_token is missing from the response?

My client was created with:

docker-compose exec hydra \
    hydra clients create \
    --endpoint http://hydra:4445 \
    --id keys-client-$POSTFIX \
    --secret keys-secret-$POSTFIX \
    --callbacks https://keys.auth.localhost/oidc/auth/cb/ \
    --scope "openid" \
    --token-endpoint-auth-method client_secret_post \
    --response-types id_token,code \
    --grant-types refresh_token,authorization_code \
    -g client_credentials_$POSTFIX

What I’m doing wrong?

I’m using docker image oryd/hydra:latest-alpine


#2

Found the problem.

My consent app didn’t send grant_scope properly to hydra so the granted scopes for my client was always empty indicating that the user didn’t give consent to openid scope.