Wpf identityserver4 invalid grant type for client: authorization_code

Question

0.00/5 (No votes)

See more:

I'm in bother with IdentityServer4 again! This time hooking to WPF.

Like the .NET Core site now running successfully I am using 'Hybrid' but while the web site would return grant type 'authorization_code', the WPF app is falling over. This is the log extract:

What I have tried:

This is the logged output from my IdentityServer:
SELECT [c0].[Id], [c0].[ClientId], [c0].[RedirectUri]
FROM (
SELECT TOP(@__p_1) [c].[Id], [c].[AbsoluteRefreshTokenLifetime], [c].[AccessTokenLifetime], [c].[AccessTokenType], [c].[AllowAccessTokensViaBrowser], [c].[AllowOfflineAccess], [c].[AllowPlainTextPkce], [c].[AllowRememberConsent], [c].[AlwaysIncludeUserClaimsInIdToken], [c].[AlwaysSendClientClaims], [c].[AuthorizationCodeLifetime], [c].[BackChannelLogoutSessionRequired], [c].[BackChannelLogoutUri], [c].[ClientClaimsPrefix], [c].[ClientId], [c].[ClientName], [c].[ClientUri], [c].[ConsentLifetime], [c].[Created], [c].[Description], [c].[DeviceCodeLifetime], [c].[EnableLocalLogin], [c].[Enabled], [c].[FrontChannelLogoutSessionRequired], [c].[FrontChannelLogoutUri], [c].[IdentityTokenLifetime], [c].[IncludeJwtId], [c].[LastAccessed], [c].[LogoUri], [c].[NonEditable], [c].[PairWiseSubjectSalt], [c].[ProtocolType], [c].[RefreshTokenExpiration], [c].[RefreshTokenUsage], [c].[RequireClientSecret], [c].[RequireConsent], [c].[RequirePkce], [c].[SlidingRefreshTokenLifetime], [c].[UpdateAccessTokenClaimsOnRefresh], [c].[Updated], [c].[UserCodeType], [c].[UserSsoLifetime]
FROM [Clients] AS [c]
WHERE [c].[ClientId] = @__clientId_0
) AS [t]
INNER JOIN [ClientRedirectUris] AS [c0] ON [t].[Id] = [c0].[ClientId]
dbug: IdentityServer4.EntityFramework.Stores.ClientStore[0]
VTConsole found in database: True
dbug: IdentityServer4.Stores.ValidatingClientStore[0]
client configuration validation for client VTConsole succeeded.
dbug: IdentityServer4.Validation.AuthorizeRequestValidator[0]
Checking for PKCE parameters
fail: IdentityServer4.Validation.AuthorizeRequestValidator[0]
Invalid grant type for client: authorization_code
{
"ClientId": "VTConsole",
"ClientName": "VTConsole Client",
"RedirectUri": "http://localhost/VT_ConsoleCore",
"AllowedRedirectUris": [
"http://localhost/VT_ConsoleCore"
],
"SubjectId": "anonymous",
"ResponseType": "code",
"ResponseMode": "query",
"GrantType": "authorization_code",
"RequestedScopes": "",
"State": "pW44DAo0a5FM6jjnYCMaGQ",
"Raw": {
"response_type": "code",
"nonce": "uddkyT-k7lbKpLfFArzmiw",
"state": "pW44DAo0a5FM6jjnYCMaGQ",
"code_challenge": "X-rkJyBEUWcS7_hrpVzsKQP5C-lC_Sd1Yll_xu195tA",
"code_challenge_method": "S256",
"client_id": "VTConsole",
"scope": "LDH001 offline_access CMDS ",
"redirect_uri": "http://localhost/VT_ConsoleCore"
}
}
fail: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
```

The query logged here returns client_id 7 and the the redirect URI http://localhost/VT_ConsoleCore - both as expected

The entry on ClientGrantTypes for ID 7 is hybrid.

ClientScopes has entries for LDH001, offline_access, and CMDS but while LDH001 is new, it is present in APIScopes and APIResources.

This is how I am calling IdentityServer4 from my WPF codebehind:

var options = new OidcClientOptions
 {
     Authority = this.config.p_Authority,
     ClientId = this.config.p_ClientId,
     RedirectUri = "http://localhost/VT_ConsoleCore",

     Browser = new WpfEmbeddedBrowser()
 };
 foreach (CScopeMasterBase scope in this.scopes)
 {
     options.Scope+= $"{scope.p_AddScopeFor} ";
 }


 _oidcClient = new OidcClient(options);

Would something like AuthenticationFlow in the options or something else be needed?

Posted 23-Mar-20 21:29pm

Ger Hayden

Updated 24-Mar-20 20:22pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Ger Hayden · Answer 1 · 2020-03-24T20:23:00

The options need the following additonal entry

Flow = OidcClientOptions.AuthenticationFlow.Hybrid,

The final call to the identity server from WPF is:

this.scopes = new List<CScopeMasterBase>();
 scopes = this.ldh.GetScopes(this.config.p_ClientId); // scopes read from config

 var options = new OidcClientOptions
 {
     Authority = this.config.p_Authority, // URL of identity server read from config
     ClientId = this.config.p_ClientId,
     RedirectUri = "http://localhost/VT_ConsoleCore",
     Flow = OidcClientOptions.AuthenticationFlow.Hybrid,
     ClientSecret= "secret",
     Browser = new WpfEmbeddedBrowser()
 };
 foreach (CScopeMasterBase scope in this.scopes)
 {
     options.Scope+= $"{scope.p_AddScopeFor} ";
 }


 _oidcClient = new OidcClient(options);