Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No grant found for state #368

Closed
pkoffdeff opened this issue Jun 6, 2017 · 6 comments
Closed

No grant found for state #368

pkoffdeff opened this issue Jun 6, 2017 · 6 comments
Labels
usage-question

Comments

@pkoffdeff
Copy link
Contributor

I try to do an openid login (at keycloak) for an api with the Resource Owner Password Credentials Grant
(https://tools.ietf.org/html/rfc6749#section-4.3) via the following code:

    from oic.utils.authn.client import CLIENT_AUTHN_METHOD
    from oic.oic.message import RegistrationResponse
    from oic import rndstr
    from oic.utils.http_util import Redirect
   

    if not request.form["username"] or not request.form["password"]:
        return jsonify(error="ERROR_NO_USERNAME_OR_PASSWORD"),400

    client = Client(
        client_authn_method=CLIENT_AUTHN_METHOD, verify_ssl=False)
    provider_info = client.provider_config(
        'https://sso.itisim.com/auth/realms/sso.itisim.com/')
    info = {"client_id": "XXXXX", "client_secret": "XXXXXX",
            'redirect_uris': "https://XXXXX/api/auth/login/"}
    client_reg = RegistrationResponse(**info)
    client.store_registration_info(client_reg)

    session["state"] = rndstr()
    session["nonce"] = rndstr()
    args = {
        'grant_type': 'password',
        "client_id": client.client_id,
        "client_secret": client.client_secret,
        "response_type": "code",
        "scope": ["openid"],
        "nonce": session["nonce"],
        "redirect_uri": client.registration_response["redirect_uris"][0],
        "state": session["state"],
        "username": request.form["username"],
        "password": request.form["password"]
    }
    client.do_access_token_request(request_args=args,state=session["state"])

But everytime I get: GrantError: No grant found for state:'XXX'
I think at this moment should be no grant availiable, as the client is not even authenticated (different from the Authorization Code Flow as in the docs)

For interest the Traceback is:

File "/usr/local/lib/python2.7/dist-packages/oic/oic/__init__.py", line 634, in do_access_token_request
   authn_method, **kwargs)
 File "/usr/local/lib/python2.7/dist-packages/oic/oauth2/__init__.py", line 747, in do_access_token_request
   **kwargs)
 File "/usr/local/lib/python2.7/dist-packages/oic/oauth2/__init__.py", line 465, in request_info
   **kwargs)
 File "/usr/local/lib/python2.7/dist-packages/oic/oic/__init__.py", line 496, in construct_AccessTokenRequest
   extra_args, **kwargs)
 File "/usr/local/lib/python2.7/dist-packages/oic/oauth2/__init__.py", line 369, in construct_AccessTokenRequest
   grant = self.get_grant(**kwargs)
 File "/usr/local/lib/python2.7/dist-packages/oic/oauth2/__init__.py", line 295, in get_grant
   raise GrantError("No grant found for state:'%s'" % state)
@tpazderka
Copy link
Collaborator

You are trying to get an access token without authorization first.

You should do client.do_authorization_request

@pkoffdeff
Copy link
Contributor Author

pkoffdeff commented Jun 6, 2017
edited
Loading 

resp=client.do_authorization_request(request_args=args,state=session["state"])
return resp

this gives me a html-response wich is the login-page of keycloak - so nothing to use with Resource Owner Password Credentials Grant

this was also the problem with the example for the Authorization code flow

auth_req = client.construct_AuthorizationRequest(request_args=args)
login_url = auth_req.request(client.authorization_endpoint)

is no option as it requires to redirect to the keycloak where the user needs then to sign in

also doing just a post-request to the token-endpoint with the given args returns an access_token

@tpazderka
Copy link
Collaborator

That is correct, the user has to log in before getting the info about them.

@pkoffdeff
Copy link
Contributor Author

Right - thats totally clear - my problem is, that I need to provide any Information via API - the python script gets user and password and than authenticates the user against the keycloak info - after some research I found to use Resource Owner Password Credentials Grant

this way it should be (and actually is, as tested and stated above) possible to just receive the access_token, id_token and refresh_token needed. But now I would like to integrate that into the Client object - and best practise would be to use the functions of the object itself, rather then passing information from external requests - what is your Best Practise for using pyoidc with Resource Owner Password Credentials Grant?

@tpazderka
Copy link
Collaborator

Ah, OK. I haven't used Resource Owner Password Credentials Grant myself so someone else might be able to help you here.

@decentral1se
Copy link
Contributor

@pkoffdeff, we're very lacking in documentation and I really don't think there is a best practice 😄 It's up to you! If you get something working, please do report back and consider bringing anything you learn upstream.

pkoffdeff added a commit to pkoffdeff/pyoidc that referenced this issue Jun 22, 2017
@pkoffdeff
add CZ-NIC#368 to CHANGELOG
11db1bd
@pkoffdeff pkoffdeff mentioned this issue Jun 22, 2017
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
usage-question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@decentral1se @tpazderka @pkoffdeff