Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

token endpoint with grant_type urn:ietf:params:oauth:grant-type:jwt-bearer fails to work without client_id #3903

Open
3 of 5 tasks
smndtrl opened this issue Dec 9, 2024 · 0 comments
Open
3 of 5 tasks

token endpoint with grant_type urn:ietf:params:oauth:grant-type:jwt-bearer fails to work without client_id #3903

smndtrl opened this issue Dec 9, 2024 · 0 comments
Labels
bug Something is not working.

Comments

@smndtrl
Copy link

smndtrl commented Dec 9, 2024

Preflight checklist

Ory Network Project

No response

Describe the bug

Given an issuer trust relationship, the token endpoint seems to require client_id of a valid client to actually work with the jwt-bearer grant type. This seems to go against the docs on https://www.ory.sh/docs/hydra/guides/jwt as well as RFC.

Did I misunderstand how that features should be used?

From the RFC7523
2.1. Using JWTs as Authorization Grants

To use a Bearer JWT as an authorization grant, the client uses an
access token request as defined in Section 4 of the OAuth Assertion
Framework [RFC7521] with the following specific parameter values and
encodings.

The value of the "grant_type" is "urn:ietf:params:oauth:grant-
type:jwt-bearer".

The value of the "assertion" parameter MUST contain a single JWT.

The "scope" parameter may be used, as defined in the OAuth Assertion
Framework [RFC7521], to indicate the requested scope.

Authentication of the client is optional, as described in
Section 3.2.1 of OAuth 2.0 [RFC6749] and consequently, the
"client_id" is only needed when a form of client authentication that
relies on the parameter is used.

Reproducing the bug

Create issuer trust relationship /admin/trust/grants/jwt-bearer/issuers

{
      "allow_any_subject": true,
      "expires_at": "2029-04-23T18:25:43.511Z",
      "issuer": "https://example.com",
      "jwk": {
        "alg": "HS256",
        "use": "sig",
        "kty": "oct",
        "k": "Fdh9u8rINxfivbrianbbVT1u232VQBZYKx1HGAGPt2I",
        "kid": "default"
      },
      "scope": ["openid"]
}

Exchange token /oauth2/token (urlencoding removed for report)

assertion=...&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&scope=openid

{
  "error": "invalid_request",
  "error_description": "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client credentials missing or malformed in both HTTP Authorization header and HTTP POST body."
}

It works when adding the client_id of a client with e.g. token_endpoint_auth_method none

Relevant log output

No response

Relevant configuration

No response

Version

ory/hydra:v2.2.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

Docker Compose

Additional Context

No response
@smndtrl smndtrl added the bug Something is not working. label Dec 9, 2024
@joshlreese joshlreese mentioned this issue Dec 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@smndtrl