oauth-2.0 - OAuth2.0 [PKCE] Flow failing between LinkedIn and Forgerock
问题描述
Implementation- Enable OAuth2.0 flow between LinkedIn & Forgerock AM where FR AM acts as a client and LinkedIn is the OAuth provider.
Problem- We are integrating "LinkedIn Sign" into one of our apps using OAuth2.0 with Forgerock AM as a client. Right now, Forgerock, which is acting as a client, passes PKCE parameters in the authorization request endpoint to LinkedIn (code challenge & code challenge method) and we receive the authorization code along with the state parameter. But subsequent request to retrieve access token fails with PKCE error.
Key info from the logs-
"ERROR: Exception in processing the tree
org.forgerock.openam.auth.node.api.NodeProcessException: Unable to get UserInfo details from provider
at org.forgerock.openam.auth.nodes.oauth.AbstractSocialAuthLoginNode.getUserInfo(AbstractSocialAuthLoginNode.java:338)
Caused by: org.forgerock.oauth.OAuthException: Unable to process request. {"error":"access_denied","error_description":"Not enough permissions to access Native PKCE protocol"}
at org.forgerock.oauth.clients.oauth2.OAuth2Client.lambda$mapToJsonValue$0(OAuth2Client.java:126)
at org.forgerock.util.CloseSilentlyFunction.apply(CloseSilentlyFunction.java:53)
at org.forgerock.util.CloseSilentlyFunction.apply(CloseSilentlyFunction.java:29)
at org.forgerock.util.promise.PromiseImpl.lambda$then$6(PromiseImpl.java:374)
at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:536)
at org.forgerock.util.promise.PromiseImpl.setState(PromiseImpl.java:577)
at org.forgerock.util.promise.PromiseImpl.tryHandleResult(PromiseImpl.java:258)
at org.forgerock.util.promise.PromiseImpl.handleResult(PromiseImpl.java:208)
at org.forgerock.util.promise.PromiseImpl.lambda$then$6(PromiseImpl.java:374)"
LinkedIn API reference & OAuth2.0 - https://docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/consumer/context
P.S. Forgerock AM when integrated with Google using OAuth2.0 [PKCE] is working absolutely fine.
Any help will be much appreciated. Thank you.
解决方案
根据微软文档:https : //docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow-native 您需要联系linkedin团队为您启用PKCE,然后是PKCE的授权URL也不同 - https://www.linkedin.com/oauth/native-pkce/authorization
推荐阅读
- intellij-idea - 如何在初始化时设置远程调试?
- java - 在 Spring Boot 中使用 SOAP Web 服务时遇到 SoapFaultClientException
- kubernetes - 为什么在 Minikube 上使用 Contour 没有外部 IP?
- mqtt - 模式开头的 Mosquitto ACL 主题通配符不起作用
- android - 如何更改安卓模拟器的电池设置?
- tree - 具有 1 个构造函数的 SML 多类型二叉树
- sql - 在Oracle的一列数据中随机转换具有unix时间戳的数据
- spring-boot - 如何在 Spring Boot 2 中将“spring.datasource.tomcat”属性绑定到 javax.sql.DataSource 类
- reactjs - Kendo-react-ui TreeList 如何自定义不同层次的单元格?
- javascript - 如何在没有任何动画的情况下默认切换隐藏