i m trying to configure Hydra to work with google Oauth2 but Ory Community #talk-hydra

i'm trying to configure Hydra to work with google ...

few-orange-16990

07/21/2022, 4:29 AM

i'm trying to configure Hydra to work with google Oauth2 but it's throwing this error,

Copy code

oauth2: cannot fetch token: 401 Unauthorized Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).","error_hint":"The OAuth 2.0 Client supports client authentication method 'client_secret_basic', but method 'client_secret_post' was requested. You must configure the OAuth 2.0 client's 'token_endpoint_auth_method' value to accept 'client_secret_post'.","status_code":401}

few-orange-16990

07/21/2022, 4:30 AM

here's the config that i'm using

Copy code

serve:
  admin:
    host: localhost
    cors:
      allowed_origins:
        - <http://localhost>
        - <http://localhost:3000>
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
      allow_credentials: true
      debug: true
  cookies:
    same_site_legacy_workaround: true
    same_site_mode: Lax
  public:
    host: localhost
    cors:
      allowed_origins:
        - <http://localhost>
        - <http://localhost:3000>

      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
      allow_credentials: true
webfinger:
  oidc_discovery:
    token_url: <https://oauth2.googleapis.com/token>
    auth_url: <https://accounts.google.com/o/oauth2/v2/auth>
    userinfo_url: <https://openidconnect.googleapis.com/v1/userinfo>
    jwks_url: <https://www.googleapis.com/oauth2/v3/certs>
    supported_claims:
      - email
      - family_name
      - given_name
      - name
      - picture
      - sub
    supported_scope:
      - openid
      - email
      - profile
      - offline
      - offline_access

oidc:
  dynamic_client_registration:
    default_scope:
      - openid
      - email
      - profile
      - offline
      - offline_access
    enabled: false
urls:
  login: <http://localhost:3000/login>
  consent: <http://localhost:3000/consent>
  logout: <http://localhost:3000/logout>
  error: <http://localhost:3000/error>
  post_logout_redirect: <http://localhost:3000/login>
  self:
    public: <http://localhost:4444>
    issuer: <http://localhost:4444>
strategies:
  access_token: opaque
  scope: exact
ttl:
  access_token: 1h
  refresh_token: 1h
  id_token: 1h
  auth_code: 1h
  login_consent_request: 1h
oauth2:
  session:
    encrypt_at_rest: false
  include_legacy_error_fields: true
  exclude_not_before_claim: true
  allowed_top_level_claims:
    - email
    - name
  hashers:
    bcrypt:
      cost: 10
  grant:
    jwt:
      iat_optional: true
      max_ttl: 1h
      jti_optional: true
  expose_internal_errors: true
secrets:
  cookie:
    - <some secret>
  system:
    - <some secret>
profiling: cpu
dangerous-force-http: true
dangerous-allow-insecure-redirect-urls:
  - ""
log:
  leak_sensitive_values: false
  format: json_pretty
dsn: "<mysql://root>:<some-password>@tcp(localhost:3306)/hydra_oauth?parseTime=true"

few-orange-16990

07/21/2022, 4:35 AM

here's the client config from hydra_client table

Copy code

response_types = token|code|id_token 
scope = openid email profile
token_endpoint_auth_method = client_secret_basic
grant_types = client_credentials

few-orange-16990

07/21/2022, 4:36 AM

i tried different combination of grant_types = client_credentials & authorization_code and token_endpoint_auth_method = client_secret_basic and client_secret_post but still no luck.

able-glass-7253

07/21/2022, 8:19 AM

Do you get a different error when you use

client_secret_post

4 Views

Open in Slack

Previous Next