invalid_client at the end of the login flow, how to debug?

[azazel75]

I'm merging Hydra and Kratos in a demo setup using a Python ui. Most of the things
works but I'm unable to go further the end of the login flow because when the
browser redirects to the url defined by the response to the "accept login request"
endpoint it gets redirected to:

http://127.0.0.1:4455/error?error=invalid_client&error_description=Client+authentication+failed+%28e.g.%2C+unknown+client%2C+no+client+authentication+included%2C+or+unsupported+authentication+method%29.+The+requested+OAuth+2.0+Client+does+not+exist.+Unable+to+locate+the+resource

For what is worth, the client is an hydra token user invocation, that I run from
a script (the arion command below behaves like docker-compose):

# run_test_client.sh
name=${1:? "At least a first parameter for the name of the client is required"}
secret=${2:-"secret"}
port=${3:-"5555"}

echo -e "Starting a demo client on port: \"$port\", \n with id: \"$name\" and secret: \"$secret\"..."
arion exec hydra -- hydra token user \
    --endpoint http://127.0.0.1:4444/ \
    --client-id $name \
    --client-secret $secret \
    --port $port \
    --scope openid,offline

and the client itself is created with another script:

# create_test_client.sh
name=${1:? "At least a first parameter for the name of the client is required"}
secret=${2:-"secret"}
cback=${3:-"http://127.0.0.1:5555/callback"}

echo "Creating a new client with id: \"$name\" and secret: \"$secret\"..."
arion exec hydra -- hydra clients create \
    --endpoint http://127.0.0.1:4445/ \
    --id $name \
    --secret $secret \
    --grant-types authorization_code,refresh_token \
    --response-types code,id_token \
    --scope openid,offline \
    --callbacks $cback

So usually i run the client with:

$ ./create_test_client.sh a_client
$ ./run_test_client.sh a_client

Any clue about how to investigate further? This is my testing Hydra config:

## ORY Hydra Configuration
version: v1.10.7

serve:
  cookies:
    same_site_mode: Lax
    # public:
    # cors:
    #   enabled: true

dsn: postgres://auth:secret@hydra-db:5432/hydra?sslmode=disable&max_conns=20&max_idle_conns=4

oidc:
  subject_identifiers:
    supported_types:
      - public
      - pairwise
    pairwise:
      salt: youReallyNeedToChangeThis

urls:
  login: http://127.0.0.1:4455/auth/login
  consent: http://127.0.0.1:4455/auth/consent
  logout: http://127.0.0.1:4455/consent
  error: http://127.0.0.1:4455/error
  post_logout_redirect: http://127.0.0.1:3000/
  self:
    public: http://127.0.0.1:4444/
    issuer: http://127.0.0.1:4444/

ttl:
  access_token: 1h
  refresh_token: 1h
  id_token: 1h
  auth_code: 1h

oauth2:
  expose_internal_errors: true

secrets:
  cookie:
    - youReallyNeedToChangeThis
  system:
    - youReallyNeedToChangexhis

log:
  leak_sensitive_values: true
  format: text
  level: debug

Is there a way to let Hydra better explain the cause of the error?

The following is the log of my app for what happens when clicking on the authentication link of the client (this shows both the Hydra and Kratos interaction):

New OAuth login request
The login_challenge 'd31c1df5046946dfa0570a05fc64700a' is valid
Redirecting to Kratos login page: 'http://127.0.0.1:4433/self-service/login/browser?return_to=%2Fauth%2Flogged_in%3Flogin_challenge%3Dd31c1df5046946dfa0570a05fc64700a'
Callback from Kratos login invocation fror login_challenge 'd31c1df5046946dfa0570a05fc64700a'
Kratos authentication session exists for subject 'alberto@a_client.it'
Signal Hydra to accept auth requesto for challenge: 'd31c1df5046946dfa0570a05fc64700a'
Got consent redirect from Hydra to 'http://127.0.0.1:4444/oauth2/auth?audience=&client_id=a_client&login_verifier=5bac8bc849e7485ca98d8f88ace286e2&max_age=0&nonce=khwaytrihjkeirqzjjxyzedv&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=rzggnwyghanilnxwganunmod'
Redirecting to consent
Hydra error happened: 'invalid_client', 'Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The requested OAuth 2.0 Client does not exist. Unable to locate the resource'

And this is the Hydra log for the same process:

hydra             | time=2022-01-11T16:50:04Z level=info msg=started handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate connection:keep-alive content-length:31 content-type:application/json user-agent:python-httpx/0.21.1] host:127.0.0.1:4445 method:PUT path:/oauth2/auth/requests/login/accept query:login_challenge=d31c1df5046946dfa0570a05fc64700a remote:172.23.0.1:38638 scheme:http]
hydra             | time=2022-01-11T16:50:04Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate connection:keep-alive content-length:31 content-type:application/json user-agent:python-httpx/0.21.1] host:127.0.0.1:4445 method:PUT path:/oauth2/auth/requests/login/accept query:login_challenge=d31c1df5046946dfa0570a05fc64700a remote:172.23.0.1:38638 scheme:http] http_response=map[headers:map[content-type:application/json; charset=utf-8] size:345 status:200 text_status:OK took:7.772713ms]
hydra             | time=2022-01-11T16:50:04Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache connection:keep-alive cookie:oauth2_authentication_csrf_insecure=MTY0MTkxOTgwM3xEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJRGt3TkdJeE9HRXlaamMxTkRSbFltSmlObU01TXpoall6bGtZelExWW1aaXya4-u9hGw75ENsYPNw0KrRNEvmjizftyLh3IOq3Tq1tQ==; jp_token=15d11d4f9bbb4c778639a180706d005e.CwPHuf3VO1CDi7t7Pyd8wY3-Dgw; csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=nJLH/QlEMKwAW5mEdvpGD+n6yqA90XZBcEgtzpSlvDs=; ory_kratos_session=MTY0MTkxODgyNHxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJSFp5VmxwbVlrSndTakpSVEhoak5GZDVWRVl3U1ZaVmFWQTRNMXBqUVdFNHyhwd7DXon_TNoW5jJP0qIQuDDkeu_DvWqELU64vvlDHQ== pragma:no-cache referer:http://127.0.0.1:4455/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:audience=&client_id=a_client&login_verifier=5bac8bc849e7485ca98d8f88ace286e2&max_age=0&nonce=khwaytrihjkeirqzjjxyzedv&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=rzggnwyghanilnxwganunmod remote:172.23.0.1:38164 scheme:http]
hydra             | time=2022-01-11T16:50:04Z level=error msg=An error occurred audience=application error=map[debug:Unable to locate the resource message:invalid_client reason:The requested OAuth 2.0 Client does not exist. status:Unauthorized status_code:401] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache connection:keep-alive cookie:oauth2_authentication_csrf_insecure=MTY0MTkxOTgwM3xEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJRGt3TkdJeE9HRXlaamMxTkRSbFltSmlObU01TXpoall6bGtZelExWW1aaXya4-u9hGw75ENsYPNw0KrRNEvmjizftyLh3IOq3Tq1tQ==; jp_token=15d11d4f9bbb4c778639a180706d005e.CwPHuf3VO1CDi7t7Pyd8wY3-Dgw; csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=nJLH/QlEMKwAW5mEdvpGD+n6yqA90XZBcEgtzpSlvDs=; ory_kratos_session=MTY0MTkxODgyNHxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJSFp5VmxwbVlrSndTakpSVEhoak5GZDVWRVl3U1ZaVmFWQTRNMXBqUVdFNHyhwd7DXon_TNoW5jJP0qIQuDDkeu_DvWqELU64vvlDHQ== pragma:no-cache referer:http://127.0.0.1:4455/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:audience=&client_id=a_client&login_verifier=5bac8bc849e7485ca98d8f88ace286e2&max_age=0&nonce=khwaytrihjkeirqzjjxyzedv&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=rzggnwyghanilnxwganunmod remote:172.23.0.1:38164 scheme:http] service_name=ORY Hydra service_version=v1.10.7
hydra             | time=2022-01-11T16:50:04Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate accept-language:en-US,en;q=0.5 cache-control:no-cache connection:keep-alive cookie:oauth2_authentication_csrf_insecure=MTY0MTkxOTgwM3xEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJRGt3TkdJeE9HRXlaamMxTkRSbFltSmlObU01TXpoall6bGtZelExWW1aaXya4-u9hGw75ENsYPNw0KrRNEvmjizftyLh3IOq3Tq1tQ==; jp_token=15d11d4f9bbb4c778639a180706d005e.CwPHuf3VO1CDi7t7Pyd8wY3-Dgw; csrf_token_806060ca5bf70dff3caa0e5c860002aade9d470a5a4dce73bcfa7ba10778f481=nJLH/QlEMKwAW5mEdvpGD+n6yqA90XZBcEgtzpSlvDs=; ory_kratos_session=MTY0MTkxODgyNHxEdi1CQkFFQ180SUFBUkFCRUFBQVJfLUNBQUVHYzNSeWFXNW5EQThBRFhObGMzTnBiMjVmZEc5clpXNEdjM1J5YVc1bkRDSUFJSFp5VmxwbVlrSndTakpSVEhoak5GZDVWRVl3U1ZaVmFWQTRNMXBqUVdFNHyhwd7DXon_TNoW5jJP0qIQuDDkeu_DvWqELU64vvlDHQ== pragma:no-cache referer:http://127.0.0.1:4455/ sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0] host:127.0.0.1:4444 method:GET path:/oauth2/auth query:audience=&client_id=a_client&login_verifier=5bac8bc849e7485ca98d8f88ace286e2&max_age=0&nonce=khwaytrihjkeirqzjjxyzedv&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=rzggnwyghanilnxwganunmod remote:172.23.0.1:38164 scheme:http] http_response=map[headers:map[content-type:text/html; charset=utf-8 location:http://127.0.0.1:4455/error?error=invalid_client&error_description=Client+authentication+failed+%28e.g.%2C+unknown+client%2C+no+client+authentication+included%2C+or+unsupported+authentication+method%29.+The+requested+OAuth+2.0+Client+does+not+exist.+Unable+to+locate+the+resource] size:306 status:302 text_status:Found took:719.369µs]
hydra             | 2022/01/11 16:50:04 http: URL query contains semicolon, which is no longer a supported separator; parts of the query may be stripped when parsed; see golang.org/issue/25192

The hydra clients list --endpoint http://127.0.0.1:4445 is:

| CLIENT ID | NAME | RESPONSE TYPES |     SCOPE      |         REDIRECT URIS          |           GRANT TYPES            | TOKEN ENDPOINT AUTH METHOD |
|-----------|------|----------------|----------------|--------------------------------|----------------------------------|----------------------------|
| a_client  |      | code,id_token  | openid offline | http://127.0.0.1:5555/callback | authorization_code,refresh_token | client_secret_basic        |

Any idea? thanks in advance!

[azazel75]

If needed I can show the source of my Python script that serves the UI, but I must advise that it's using a different API client library, because it's using an async model

[azazel75]

I tried with a very simple Hydra login endpoint that immediately accepts the login request, and it shows the same problem. That was unexpected! And sad :-/ I'll post the Python source of the endpoint:ù

@jp.SetRoute('/auth/login')
async def oauth_login_shallow(request):
    """
    Hydra login entry point
    """

    page = jp.WebPage(title="Welcome to the OAuth login page")
    challenge = request.query_params.get('login_challenge')
    print("\nNew OAuth shallow login request")

    if not challenge:
        print(f"Hydra login challenge missing")
        page + jp.H1(text="Error, Missing 'login_challenge' query parameter")
        return page

    log_req = await get_login_request.asyncio(client=h_client,
                                              login_challenge=challenge)

    if isinstance(log_req, ContainsInformationOnAnOngoingLoginRequest):
        print(f"The login_challenge {challenge!r} is valid")
        if log_req.skip: print("skip")
    else:
        print(f"Error authenticating login_challenge")
        page + jp.H1(text="Error, unauthorized oauth client (login_challenge is fake?)!")
        return page


    body = HandledLoginRequestIsTheRequestPayloadUsedToAcceptALoginRequest(
        subject="shallow_subject",
    )

    print(f"Signal Hydra to accept auth requesto for challenge: {challenge!r}")
    accept_resp = await accept_login_request.asyncio(
        client=h_client,
        login_challenge=challenge,
        json_body=body
    )
    if isinstance(
            accept_resp,
            TheResponsePayloadSentWhenAcceptingOrRejectingALoginOrConsentRequest):
        page.redirect =  accept_resp.redirect_to
        print(f"Got consent redirect from Hydra to {page.redirect!r}")
    else:
        raise RuntimeError("Error while accepting hydra challenge")
    return page + jp.H1(text="Redirect to consent flow")

Probably it's something so simple that I can't see it....

[vinckr]

Hello Alberto,
thanks for supplying so much detailed information. Is your Hydra login endpoint working when you try a login/consent flow without Ory Kratos?
On the clients create command and hydra.yml I cant see anything obvious.

[azazel75]

Hi @vinckr, thanks for answering. Unfortunately it was a bug of the small Python library that I'm using to generate the pages, see justpy-org/justpy#335 . No it works to the end! Nice! Even the joined Hydra-Kratos workflow works (with external github authentication)! Now the test client at the end of the process writes:

* Access Token: _pJpAkMhwsKDlWRCdsVsfZlE0tRF5L47gNRqVtHDdZs.LX7zyLhjbwYAiez4jZpROfIMiQwm42lMtN0g5qBbvYk
* Refresh Token:
* Expires in: Wed, 12 Jan 2022 16:32:18 UTC
* ID Token: <nil>

Shouldn't the IDToken show something?

[azazel75]

Nailed it with a "consent all" consent endpoint like:

@jp.SetRoute('/auth/consent')
async def oauth_consent(request):
    """
    Hydra consent entry point
    """

    page = jp.WebPage(title="Welcome to the OAuth consent page")
    page + jp.H1(text="Consent page")
    challenge = request.query_params.get('consent_challenge')
    print("New OAuth consent request")

    if not challenge:
        print(f"Hydra consent challenge missing")
        page + jp.H1(text="Error, Missing 'consent_challenge' query parameter")
        return page

    con_req = await get_consent_request.asyncio(client=h_client,
                                                consent_challenge=challenge)
    if isinstance(con_req, ContainsInformationOnAnOngoingConsentRequest):
        print(f"The consent_challenge {challenge!r} is valid")
    else:
        print(f"Error authenticating consent_challenge")
        page + jp.H1(text="Error, unauthorized oauth client (consent_challenge is fake?)!")
        return page

    session = await _get_kratos_session(request)
    if _kratos_session_is_valid(session):
        print(f"Accepting consent request {challenge!r}")
        accept_resp = await accept_consent_request.asyncio(
            client=h_client, consent_challenge=challenge,
            json_body=TheRequestPayloadUsedToAcceptAConsentRequest(
                grant_scope=con_req.requested_scope))

        if isinstance(
                accept_resp,
                TheResponsePayloadSentWhenAcceptingOrRejectingALoginOrConsentRequest):
            dest = accept_resp.redirect_to
            print(f"Got final redirect from Hydra to {dest!r}")
            page.redirect = dest
            return (page + jp.H1(text="Kratos login redirect to Hydra"))
        else:
            raise RuntimeError("Error while accepting hydra challenge")
    return page

The key is to "copy" the requested scopes to those granted. Now at the end I get:

* Access Token: RDwSelIldpXt55A0KmCYDArCMx6Z3efkW_GRJeCyGFI.EuzvdCyWjUrWOhGBfv-lsHe4D_lL8UlaPk5j_yxlZs4
* Refresh Token: kf4WN2AKoymYCZW9iVe1ohbdNlkXHdEb5ZWRIiOZbLY.quJSn9VKRUdYuzRyo7l4cnfSu_YSjq54uOFmaT9lsKU* 
* Expires in: Wed, 12 Jan 2022 18:28:11 UTC
* ID Token: eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzoyYTE0YjM5NC1iMTgxLTQ4YWUtYTU3Mi1iMDUyYmQwM2U2NTUiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiTDhsYmlJMjJpZ0Naa2ZuYXhsbHRtQSIsImF1ZCI6WyJ0ZXN0X2NsaWVudCJdLCJhdXRoX3RpbWUiOjE2NDIwMDg0OTAsImV4cCI6MTY0MjAxMjA5MiwiaWF0IjoxNjQyMDA4NDkyLCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjQ0NDQvIiwianRpIjoiZWMyYTFlYjgtZDI2MC00YmFjLWFlOGEtZGM0YmVkYzUyNDEzIiwibm9uY2UiOiJlcWlod2pmaGN2d3FmcWxkb2x4dWVkaGwiLCJyYXQiOjE2NDIwMDg0OTAsInNpZCI6ImRhNjgzMjFmLTc0MTgtNGRkNi04MjQ5LTAwMWM0MzlhMTA3MyIsInN1YiI6InBpcHBvQHBsdXRvLml0In0.HoTekeAokrF92XcDIR5Tbu66uPMm-bjRzf5Kw90Z4PDsZvUC9HIK_MXQZrabQhX-Q-zs1BltEk8-1EXjpWgsTDH_cr3qxqH5ZtZFE3WqqiB1mUC2r_7_YtERd3iLk7p-hxJ0P2_pa5BzGqF7sYs329P436AQVTBkz32LpBk-KyxOIrax4fjHZs4_MquQaytI5HcCdH9JPXe-lLNi80-BWwZA9z0os1UnZ-ybtoMul-clMaefweNOxY9rO1XnNQX9P9kxUNCodFRX9ZhL4tNCB5mytGJ3XYRPUZHeRoo-iKCZwx9KS4nylfhWQ2bDEqSgBR2txdXyDVRczySg4hYM4TJM12mPZT2ef1aaqUDLrfxHOy584hZLl4M0mKLd9D5oc9ZbvUmD0C4IW5hTTN_tRU63tXt97BDPG28UL8YoechpkwDNJGwlbJWVBzPQQcaQNxdyVWJySo1TpBRHBNVYO00H2XbLHASBRnFU0MfPwch0N76aDOlFscQXEEZ8Xfjvqm1MUm0WrIRaF1ZqBPz-aoMmOh-rKgIWqaYu8TU6sCaX3424ziyadkn47f7L2_lqeUkXPUd5YpfuR3__-ZRWTUAkk3lXGG_nfFbystkl5H8VXDKBg69AvPsCk--dL12TrAE4L-50vFLWPDHLmdXGMw-WTfhl_1EI8cqwbbKHNvg

[vinckr]

Hey that was pretty fast 😅
Thanks so much for supplying your code, I will see to make some use of it in the docs; we do not have many Python examples afaik. Or we turn it into a blogpost tutorial. Would you be ok with that? We would give you credit of course.

[azazel75]

Of course, no problem at all. I can post even more of the solution, but is the development environment that is where the custom client libraries for Kratos and Hydra gets built from Ory's SDK repo. The environment automatically extracts the specs from the SDK repo, converts Hydra's spec from Swagger to Openapi with the help of swagger2openapi JS tool and then applies Python's library openapi-python-client to generate the async style client sources, that then gets packaged as Nix packages and installed in the environment... that then generates the container image with the help of Arion 😛

[azazel75]

BTW @vinckr , this morning I had a meeting with the client for which I coded this "proof of concept" of Hydra and Kratos integration using Python and he agreed to let me disclose anything needed for your blogpost, if you want to really go that way, so let me know. In the meantime I'll prepare a demo repository that can be run any of my client's stuff 😉 so, let me know.

[vinckr]

Thanks @azazel75 !
I would love to publish it on our blog yes.
I fear I could not reproduce or adequately describe all the work you did, but would love to demonstrate the frontend a bit and show how people can use it & as reference. A small demo repo would be more than I can possibly ask for!

[vinckr]

@azazel75
The Ory Kratos and Ory Hydra integration just landed with Hydra 2.0,
see the release notes for more details!