search cancel

Error: The request contains authorization header and client_id in SPS

book

Article ID: 254398

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running CA Access Gateway (SPS) as OIDC Provider, once the Postman client sends a request to SPS, the browser gets the error:

  {"error":"invalid_request","error_description":"The request contains authorization header and client_id \u0026 client_secret in body."}

  Error: The request contains authorization header and client_id & client_secret in body.

 

Environment

 

  CA Access Gateway (SPS) 12.8SP6 on Windows 2016;
  AdoptOpenJDK 11.0.16.8;

 

Cause

 

At first glance, this is as expected if OIDC Client is configured with Application Type: Confidential and Authentication Type: Basic.

ClientID should be part of the Authorization Header for Confidential Applications and Basic Authentication. Authorization Header value is calculated using the Client's credentials:

  Authorization: Basic encoded(client_id:client_secret)

Thus, the client_id reaches the token Endpoint as part of the Authorization Header value in the body.

Configure the Authentication Scheme with one different from Basic or Windows.

Siteminder documentation reports similar behavior which is expected when the Authentication Scheme is Basic (1).

 

Resolution

 

Configure the journey to use another Authentication Scheme different from the Basic or Windows Authentication Scheme.

Configure the OIDC Client Authentication Type as POST.

 

Additional Information

 

(1)

    Example Request and Responses

      Request 2: Token request format for a Confidential client application that uses Basic authentication type
      POST /affwebservices/CASSO/oidc/sample_client/token HTTP/1.1 Host: wa.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fsample.ca.com%2Fexample%2Fredirect_uri

      Response 2: Invalid response
      400 Bad Request Cache-Control: no-storeContent-Type: application/json; charset=UTF-8Pragma: no-store    { "error": "invalid_grant","error_description": "Invalid authorization code"} 

      Error Codes and Messages

      | Scenario                  | Error Code      | Error Description       | HTTP Status Code |
      |---------------------------+-----------------+-------------------------+------------------|
    | Duplicate client          | invalid_request | The request body        | 400              |
      | credentials are sent with |                 | contains both           |                  |
      | both authorization        |                 | authorization header    |                  |
      | header, and client_id     |                 | and                     |                  |
      | and/or client_secret in   |                 | client_id/client_secret |                  |
      | POST body                 |                 |                         |                  |