Oauth2/token endpoint on client

ORY Hydra
#1

I really like this software and its documentation. kudos.

but… I’d really like to know if there is a development option, where one could turn of any https checks
so one could test through fully without having to set up a full blown environment.

additionally are there further documentation on the “not documented because security” api endpoints?
I am reading the source and it is very insightful. documentation would still be appreciated.

EDIT:
I am trying to reach the :4444/oauth2/token endpoint, which works from the cli but not from an external client. I figured it had to be the https which is added automagically by the cmd on the cli.

#2

What about --dangerous-force-http?

#3

okey… my first question had to be in the faq.

it doesn’t resolve my problem though. I suspected the http being responsible, as the client is adding
those headers to the request in the source and I couldn’t find any other difference.

I am trying to mimic the 5 minute tutorial with a self written client and am stuck at receiving a auth token
from oauth2/token endpoint.

I send a url encoded:
client_id: string = “aNewClient”
client_secret: string = “secret”
grant_type: string = “client_credentials”
scope: string = “offline_access offline openid”
audience: string = “”

I can’t get past this error message:

{“error”:“invalid_client”,“error_description”:“Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)”,“error_hint”:“The OAuth 2.0 Client supports client authentication method “client_secret_basic”, but method “client_secret_post” was requested. You must configure the OAuth 2.0 client’s “token_endpoint_auth_method” value to accept “client_secret_post”.”,“status_code”:401}

changing the authentication method hadn’t had any effects, same as with another request where I got the same message, but missed an entry.

its needless to say that it works from the cli

#4

okei I admit I am not very concentrated these days.

I read around and found this little gem:

somehow it worked now correctly changing the auth_method to client_secret_post.
I somehow discarded the possibility after seeing the message repeatedly even with said auth_method to client_secret_post.

please add this tutorial to one of the “must read” list
thanks for helping out

SOLUTION TO THE ORIGINAL QUESTION: