Error 400 Client credentials are invalid when using OIDC revocation endpoint

search cancel

Error 400 Client credentials are invalid when using OIDC revocation endpoint

book

Article ID: 232587

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Customer has integrated for few applications using OIDC configuration and is trying to use the revocation endpoint url.
However it gives error 400 bad request when accessing /affwebservices/CASSO/oidc/client_name/revoke using TLSv1.2 POST.

FWSTrace.log shows:

[01/06/2022][19:22:57][1152][4632][23c7093f-816d978f-07c7201a-f1bf1ec8-ee15ba56-1b2][OpenIDConnectServiceBase.java][sendJSONErrorResponse][ Sending error JSON message:
{"error":"invalid_request","error_description":"Client credentials are invalid."}
with error code:400]

Interestingly, when comparing what is submitted via OIDC client app, with OIDC client configuration on SiteMinder side, the Client id and secret content are matched.

Environment

Release : 12.8

Component : SITEMINDER SECURE PROXY SERVER

Cause

Misconfiguration on SiteMinder side OIDC client configuration.

Resolution

OIDC client defines Authentication Type in admin ui.

Specifies the mechanism that must be used for authenticating the client.

Select Basic to send the client credentials in the authorization header.
Select POST to send the client credentials in POST body.

OIDC client app sends Client id and secret over POST body, however, SiteMinder side oidc client is set as "Basic", which looks for Client id and secret from authorization header, and it will never find it.

Hence the error: "Client credentials are invalid."

The two sides must match in term of how the data is transmitted and what protocol is used.

Feedback

thumb_up Yes

thumb_down No