What's wrong? I'll get after good looking flow "invalid-token-response" in WP-Plugin?

[svenniuwe]

Hello,
I need to use this plugin to authenticate via Orchard-Core Authorization Server.

First steps are promising, I get redirected to Orchard-Core-Login, then there I'm requested to accept access then redirected to Wordpress and then the above error appears.

What might be wrong?

Thank you for any suggestions!

Bye
Sven

==================
Parts of flow from Plugin-Log:

string(272) "https://authdemo.XXXXX.net/connect/authorize?response_type=code&scope=WordpressBereich&client_id=wordpress-authdemo-blog&state=31b9d48812077aa7693effd689d0eb6e&redirect_uri=https%3A%2F%2Fauthdemo.XXXXX.blog%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize"

Type: request_authentication_token
Date: 2021-06-11 14:03:16
User: 0
URI : /wp-admin/admin-ajax.php?action=openid-connect-authorize&code=&state=31b9d48812077aa7693effd689d0eb6e
=> string(41) "https://authdemo.XXXXX.net/connect/token"

Type: invalid-token-response
Date: 2021-06-11 14:03:16
User: 0
URI : /wp-admin/admin-ajax.php?action=openid-connect-authorize&code=&state=31b9d48812077aa7693effd689d0eb6e

object(WP_Error)#935 (3) {
["errors"]=>
array(1) {
["invalid-token-response"]=>
array(1) {
[0]=>
string(22) "Invalid token response"
}
}
["error_data"]=>
array(1) {
["invalid-token-response"]=>
array(4) {
["access_token"]=>
string(1920) "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJERUMxMkI4QzdBMEM4MDNFMTYxQURDMTY0MkNFQkNCOEI1N0IzNkEiLCJ4NXQiOiJ2ZXdTdU1lZ3lBUGhZYTNCWkN6cnk0dFhzMm8iLCJ0eXAiOiJhdCtqd3QifQ.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6IjQ0MTNoZzMzaDdkemMxZXpldjYzcXlqcXd6IiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI6InN2ZW4iLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJzdmVuLnNjaGFldHpsQGdtYWlsLmNvbSIsImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI6IkFkbWluaXN0cmF0b3IiLCJQZXJtaXNzaW9uIjpbIk1hbmFnZVNldHRpbmdzIiwiQWNjZXNzQWRtaW5QYW5lbCIsIk1hbmFnZUFkbWluU2V0dGluZ3MiLCJNYW5hZ2VVc2VycyIsIk1hbmFnZUN1bHR1cmVxxxxxxxxxbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm9jOmVudHlwIjoidXNlciIsInN1YiI6IjQ0MTNoZzMzaDdkemMxZXpldjYzcXlqcXd6IiwibmFtZSI6InN2ZW4iLCJvaV9wcnN0Ijoid29yZHByZXNzLWF1dGhkZW1vLWJsb2ciLCJvaV9hdV9pZCI6ImI0OTk5NDY5NWY2ODQxMzVhODIxYWEwYWFkZjI4MDdkIiwiY2xpZW50X2lkIjoid29yZHByZXNzLWF1dGhkZW1vLWJsb2ciLCJvaV90a25faWQiOiIxNDRlZmZhNDBjZTE0YWU0YTQ0NDkyMjQ1MjAxNTdjMyIsImF1ZCI6Im9jdDpEZWZhdWx0Iiwic2NvcGUiOiJXb3JkcHJlc3NCZXJlaWNoIiwiZXhwIjoxNjIzNDIzNzk2LCJpc3MiOiJodHRwczovL2F1dGhkZW1vLmNvbWJpdC5uZXQvIiwiaWF0IjoxNjIzNDIwMTk2fQ.b0aUGNb8irpt-ogW6JGqhumrn63NGFlVylT_P8NaJQPYkFl4auWwMQBZ0lmLyeuNYn6RZFinSNuFXdgqBIW0ZNBvn1bJpmzgJrLmRvJs250FoS4RtyXY62nsUdZSSnjB9EBMx3b1ZG5XDpQaKZ58thwxz3hvsnPC0fjG5xLKfKiuufEXt0ncyfu0wha4FR-BoL0Twh-uM-LwnDY43_YyvDdpRfIvzLATgCJ6tRyaB6YWvN6IoKwZ34lH8BtEJhHQYnQ6pFBHm-dn4vEBsnFQbtqJq3mk-i-7UCKDy8dvlw5Q4icGqp4FOFIT38AOVMRzglq1FNnJPKMdJRPoO_nj_w"
["token_type"]=>
string(6) "Bearer"
["expires_in"]=>
int(3599)
["scope"]=>
string(16) "WordpressBereich"
}
}
["additional_data":protected]=>
array(0) {
}
}

[timnolte]

@svenniuwe so from the response it seems as though that Orchard-Core-Authorization Server is not sending a proper OpenID Connect authorization code back to the WordPress site, unless you intentionally left out the code request parameter value. Also your client ID and scopes also do not look like typically values. With the OpenID Connect setup with identity providers the client ID is usually generated by the IDP as it has to be unique, this isn't a value you just make up. A corresponding secret key is then generated for that client ID. Also the scopes that you can set for OpenID Connect are usually, at the very least, openid, profile, email, offline_access.

[timnolte]

Looking at the documentation for that server("OpenId - Orchard Core Documentation" https://docs.orchardcore.net/en/dev/docs/reference/modules/OpenId/) you need to make sure to enable Authorization Code flow.

[svenniuwe]

@timnolte Thank you very much for your indications!
I have already enabled "Authorization Code flow", but perhaps I have to indicate the parameters (like 'code') at the end of the Redirect-URL but I could not find any documentation about how to do it?

Screenshot: Application-configuration in Orchard-Core
(secret key is set and is the same on both ends, it is not displayed here for security reasons)

Screenshot: Authorization Server configuration in Orchard-Core

[kevinchalet]

Hey,

Also your client ID and scopes also do not look like typically values. With the OpenID Connect setup with identity providers the client ID is usually generated by the IDP as it has to be unique, this isn't a value you just make up.

Unique doesn't mean random 😄 (and FWIW, using non-random/user-defined strings is quite frequent when you don't have third-party clients)

I'm not familiar at all with oidc-wp but if I had to guess what's happening here:

• The openid scope is not requested.
• The OrchardCore OpenID module assumes it's not an OIDC request and treats it as an OAuth 2.0 request.
• Since it's not an OIDC request, no id_token is returned in the token response.
• The client detects there's no id_token in the response and throws a generic Invalid token response error.

Adding openid to the list of requested scopes should certainly fix this error.