The authorization server does not support obtaining a token using this method

ORY Hydra
#1

Hi,

I’m running Hydra in a Kubernetes cluster and am using the oryd/hydra:v1.3.2 image and I’m trying to get an id token from Hydra using the /oauth2/auth endpoint. My initial call to the endpoint is:

curl -v "https://<my-gateway>/oauth2/auth?response_type=id_token&scope=openid&client_id=xyz&redirect_uri=http://127.0.0.1:4435&nonce=whateveryouwant&state=loginforsure"

< HTTP/1.1 302 Found
< Server: nginx/1.17.8
< Date: Tue, 21 Apr 2020 21:01:10 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 156
< Connection: keep-alive
< Location: http:///login?login_challenge=9a7d1b61665140cd89f539d352c7a4c7
< Set-Cookie: oauth2_authentication_csrf=MTU4NzUwMjg3MHxEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJR0V5TW1NM05UWTNZVGsyTVRRMk56TTVNemd3WWpJek56ZGhNbUprTUdNeHzgbIQrzHRYoxqOSi_Uc4t2PeFzzDMysPk_ngedzKJ52Q==; Path=/; Expires=Thu, 21 May 2020 21:01:10 GMT; Max-Age=2592000; HttpOnly; SameSite=Lax
< X-Krakend: Version 1.1.1
< X-Krakend-Completed: false
< Strict-Transport-Security: max-age=15724800; includeSubDomains
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: PUT, GET, POST, OPTIONS, DELETE
< Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
<
Found.

Then I perform the login and the consent parts of the flow. The login accept has a payload with the subject. However, the consent acceptance call has an empty body at the
moment ({}). The last call to /oauth2/auth:

curl -v -H "Cookie: oauth2_consent_csrf=<very-long-cookie>;" "https://<my-gateway>/oauth2/auth?consent_verifier=f6ef01703200417f9d96d29a11522a98&response_type=id_token&scope=openid&client_id=xyz&redirect_uri=http://127.0.0.1:4435&nonce=whateveryouwant&state=loginforsure"

< HTTP/1.1 302 Found
< Server: nginx/1.17.8
< Date: Tue, 21 Apr 2020 19:14:39 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: http://127.0.0.1:4435?error=unsupported_response_type&error_description=The+authorization+server+does+not+support+obtaining+a+token+using+this+method&state=loginforsure
< X-Krakend: Version 1.1.1
< X-Krakend-Completed: false
< Strict-Transport-Security: max-age=15724800; includeSubDomains
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: PUT, GET, POST, OPTIONS, DELETE
< Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization
<

The logs for Hydra shows:

{"level":"info","method":"GET","msg":"started handling request","remote":"10.0.18.10","request":"/oauth2/auth?\u0026client_id=xyz\u0026consent_verifier=f6ef01703200417f9d96d29a11522a98\u0026nonce=whateveryouwant\u0026redirect_uri=http%3A%2F%2F127.0.0.1%3A4435\u0026response_type=id_token\u0026scope=openid\u0026state=loginforsure","request_id":"641d0c21c6ce4779f35a8d7be5d041e4","time":"2020-04-21T21:09:32Z"}
{"description":"The authorization server does not support obtaining a token using this method","error":"unsupported_response_type","level":"error","msg":"An error occurred","time":"2020-04-21T21:09:32Z"}
{"level":"info","measure#hydra/public: https://127.0.0.1:4444/.latency":35449216,"method":"GET","msg":"completed handling request","remote":"10.0.18.10","request":"/oauth2/auth?\u0026client_id=xyz\u0026consent_verifier=f6ef01703200417f9d96d29a11522a98\u0026nonce=whateveryouwant\u0026redirect_uri=http%3A%2F%2F127.0.0.1%3A4435\u0026response_type=id_token\u0026scope=openid\u0026state=loginforsure","request_id":"641d0c21c6ce4779f35a8d7be5d041e4","status":302,"text_status":"Found","time":"2020-04-21T21:09:32Z","took":35449216}

The client configuration:

{      
      "client_id":"9902abd5-61a1-4f30-a11e-9c914e651daf",
      "client_name":"avanet-web",
      "redirect_uris":[
         "http://127.0.0.1:4435"
      ],
      "grant_types":[
         "client_credentials",
         "authorization_code",
         "implicit"
      ],
      "response_types":[
         "token",
         "id_token",
         "code",
         "code id_token"
      ],
      "scope":"openid",
      "audience":[],
      "owner":"",
      "policy_uri":"",
      "allowed_cors_origins":[],
      "tos_uri":"",
      "client_uri":"",
      "logo_uri":"",
      "contacts":[],
      "client_secret_expires_at":0,
      "subject_type":"public",
      "token_endpoint_auth_method":"none",
      "userinfo_signed_response_alg":"none",
      "created_at":"2020-04-21T13:24:57Z",
      "updated_at":"2020-04-21T13:24:57Z",
      "metadata":null
}

So, what am I doing wrong? Some configration parameter setting or parameter in the authorize call?

#2

Your request shows client_id=xyz but the client config shows "client_id":"9902abd5-61a1-4f30-a11e-9c914e651daf"

#3

Sorry, my mistake trying to remove any confidential information. Disregard that. However, I found an interesting note about missing id_tokens stating that the consent acceptance must contain the grant_scope: [“openid”] parameter, so I will try that.

#4

Yes, the id_token requires the openid scope!

#5

Success! Now it works.

1 Like