Login/Register
Response type is not valid
Asked Answered
openiddictoidc-client
R

1

6

I am using openidict and oidc-client authentication,

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => 
    {
        options.LoginPath = "/Identity/Account/Login";
        options.LogoutPath = "/Identity/Account/Logout";
        
    })
    .AddOpenIdConnect(options =>
    {
        options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.ForwardSignIn = CookieAuthenticationDefaults.AuthenticationScheme;

        options.Authority = baseUrl;
        options.CallbackPath = new PathString("/authentication/login-callback");
        options.SignedOutRedirectUri = baseUrl;

        options.ClientId = AuthenticationClient.WebClientId;

        options.RequireHttpsMetadata = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.SaveTokens = true;
        options.UsePkce = true;

        /// Use the authorization code flow.
        options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
        options.AuthenticationMethod = OpenIdConnectRedirectBehavior.RedirectGet;

        options.Scope.Add(Scopes.OpenId);
        options.Scope.Add(Scopes.Profile);
        options.Scope.Add(AuthenticationClient.WebClientApiScope);
}

Here when the response type is set to "Code id/Code id_token/code token" I'm getting Open ID connect hybrid flow is not supported error.

When it is "code" , I get the below error.

error:unauthorized_client
error_description:The specified 'response_type' is not valid for this client application.
error_uri:https://documentation.openiddict.com/errors/ID2043

Can someone pls help me on this?

Rich answered 19/5, 2021 at 13:47 Comment(1)
What does your logout endpoint look like on the client?Valida
S
3

I had the same issue when I tried to configure OpenIddic server and authorize it through the OIDC protocol.

I was configuring postman public client, that allowed AuthorizationCode GrandType, and I forgot to add explicitly allowed ResponseType Code:

  var descriptor = new OpenIddictApplicationDescriptor
  {
    ClientId = "postman",
    DisplayName = "Postman",
    RedirectUris = { new Uri("https://www.getpostman.com/oath2/callback") },
    Permissions = 
    {
        OpenIddictConstants.Permissions.Endpoints.Authorization,
        OpenIddictConstants.Permissions.Endpoints.Device,
        OpenIddictConstants.Permissions.Endpoints.Token,
        OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
        OpenIddictConstants.Permissions.GrantTypes.DeviceCode,
        OpenIddictConstants.Permissions.GrantTypes.Password,
        OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
        OpenIddictConstants.Permissions.Scopes.Email,
        OpenIddictConstants.Permissions.Scopes.Profile,
        OpenIddictConstants.Permissions.Scopes.Roles,

        OpenIddictConstants.Permissions.ResponseTypes.Code <-- this was my issue
    }
  };

And this how OpenIddic stored this in DB

[
"ept:authorization",
"ept:device",
"ept:token",
"gt:authorization_code",
"gt:urn:ietf:params:oauth:grant-type:device_code",
"gt:password",
"gt:refresh_token",
"scp:email",
"scp:profile",
"scp:roles",
"rst:code"
]

As OpenIddict is a library for creating authorization we need set everything explicitly.

Statute answered 23/2, 2022 at 20:8 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.