"Client ID is missing" error accessing Tanzu Academy
Article ID: 385371
Updated On:
Products
Issue/Introduction
Users accessing local on premise proxy that forwards traffic into Cloud SWG.
When users access tanzu.academy and click the login button, users submit their email address but instead of being asked for their credentials, an error page appears indicating that the "client ID is missing".
Roaming users accessing the same site via WSS Agent have no such errors.
Environment
Proxy Forwarding Access method.
Cloud SWG.
Tanzu Academy.
Cause
Proxy removing "Authorization: Basic" HTTP header that contains the needed Client ID.
This is done per design to avoid potential leaking of user credentials.
Resolution
Disable SSL interception for the tanzu.academy domain.
Another option (if tenant managed using UPE) would be to create policy to allow the forwarding of the Authorization: Basic HTTP header as per following KB.
Additional Information
HAR file shows that the POSTing of credentials to the token endpoint returns a 400 Bad request status, with the payload offering more details as to why.
// Request snippet
POST https://access.broadcom.com/default/oauth2/v1/token HTTP/2.0
:
authorization: Basic #############
origin: https://tanzu.academy
referer: https://tanzu.academy/
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.59 Safari/537.36
Host: access.broadcom.com
grant_type=client_credentials&scope=urn%3Aiam%3Amyscopes
// Response snippet
HTTP/2.0 400
access-control-allow-credentials: true
access-control-allow-origin: https://tanzu.academy
server: cloudflare
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
{"clientTxnid":null,"error":"invalid_request","error_description":"'client_id' is missing"}
The client_id is included within the base64 encoded Authorization: Basic header value.
Armed with this information, we checked the HTTP debug and confirmed that the "Authorisation: Basic" HTTP request header is NOT forwarded to the OCS by the proxy. Had the client_id been included in an "Authorization: Bearer" header, it would have been forwarded as the removal only applies to the Basic Authorization header.
Feedback
