Hydra: crypto/bcrypt: hashedPassword is not the hash of the given password

Created on 2 Jan 2017  Â·  12Comments  Â·  Source: ory/hydra

Hi!
I have a problem with using response_type=code in javascript library (https://www.npmjs.com/package/openid-client).

Hydra v0.7.2

Request:

https://hydra/oauth2/auth?redirect_uri=wta%3A%2F%2Fauth&scope=openid%20all&state=4bdbfa61-6fe1-48fc-8aff-df6d8a4f26db&nonce=62491adc-8003-4cea-bd38-79bca4bdda00&response_type=code&client_id=wta-d

Response:

wta://auth?code=77aXBnscm10Fipd_pfNlk3hLbP23izsj8QMnDqTUoqc.xfDyGRGGVaXqpBGZNISqowDqVcnFgnYohWPw6VBau0w&scope=openid%20all&state=4bdbfa61-6fe1-48fc-8aff-df6d8a4f26db

Logs from the library:

{ HTTPError: Response code 401 (Unauthorized)
    at stream.catch.then.e (node_modules/openid-client/node_modules/got/index.js:129:13)
    at process._tickCallback (internal/process/next_tick.js:103:7)
  message: 'Response code 401 (Unauthorized)',
  host: 'hydra',
  hostname: 'hydra',
  method: 'POST',
  path: '/oauth2/token',
  statusCode: 401,
  statusMessage: 'Unauthorized' }

Client:

{
  "scope": "openid all",
  "redirect_uris": [
    "wta://auth"
  ],
  "grant_types": [
    "implicit",
    "authorization_code",
    "refresh_token"
  ],
  "response_types": [
    "code",
    "token",
    "id_token"
  ]
}

Hydra's logs:

Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=info msg="started handling request" method=GET remote=89.72.196.109 request="/oauth2/auth?redirect_uri=wta%3A%2F%2Fauth&scope=openid%20all&state=4bdbfa61-6fe1-48fc-8aff-df6d8a4f26db&nonce=62491adc-8003-4cea-bd38-79bca4bdda00&response_type=code&client_id=wta-d&consent=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3dGEtZCIsImV4cCI6MTQ4MzM4NzE1OCwiaWF0IjoxNDgzMzg2OTE4LCJqdGkiOiJkYzljNGE0Ni1mY2UyLTQ2ODItODlmNS0xMDhjMzFkNjFiZmIiLCJzY3AiOlsib3BlbmlkIiwiYWxsIl0sInN1YiI6ImIzMjhjNDcyLTRmMTktNDBmNy1hODM5LWRiMGY3ZTkwYmMyMyJ9.Opyr4jwFY_-F622FC-GdfIp6_Jal8B_ld_HzGnuUNZMX1Ig3OMcRGD3wUXO8ICg50KhVO3BvIK6W19LVRJEWFzy4B-bdh1Dld6nfFtPwy-Ie59L4p7860YO-Fa9HdAERh62KrO9GFImHuCmq4Z5P1SvBpbQid3b145r2CLTe6z6K1E-gN_AuDBnwVrYngVOsO4gIuh5ZKNHTss2f16YK1S6sJwxalGHJy3pz3dlv4-lWXSUnK1IAKKfrwiAL3Mcb4CCN5ghweSMrncKDC4Llt9XhUU6pHHhln28QLiHrw_e2sON-kjgeDzE-Kkas6Av26W_No6ftRMMV88Xk9VUIM_wtWMfxY7Oo9RTauEYy8VNxJ0_V8TwW4ETfTTElRijbwQ0Ofaz4PpQBoli-53bwyHOsKQXbF6N_WOmHE70VHMhjao_H0ywunmmHA_U4xTq6Lhq1zrPYTPxsN3PSB104eD-oEp3VBALv77TWCKEPMs9hiD4Vhl3kOgID_keRzWgXLEuVsMq8dKwVVBmSMZtzoWa6Sdc6-dSuZrD0A4uIEu5NgTVZL9OeAjDrTe6GtkQDyu78vNI1Z9YtZc01W9If3qZArZTaSjhiu3eUEofxafS9iIFb3XXt2XnxIrEGcJoy3Ge_yV_h66RwdPCriu5165fUMTVNFrLbgEEn6OR90Ro"
Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=info msg="completed handling request" measure#web.latency=8159197 method=GET remote=89.72.196.109 request="/oauth2/auth?redirect_uri=wta%3A%2F%2Fauth&scope=openid%20all&state=4bdbfa61-6fe1-48fc-8aff-df6d8a4f26db&nonce=62491adc-8003-4cea-bd38-79bca4bdda00&response_type=code&client_id=wta-d&consent=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3dGEtZCIsImV4cCI6MTQ4MzM4NzE1OCwiaWF0IjoxNDgzMzg2OTE4LCJqdGkiOiJkYzljNGE0Ni1mY2UyLTQ2ODItODlmNS0xMDhjMzFkNjFiZmIiLCJzY3AiOlsib3BlbmlkIiwiYWxsIl0sInN1YiI6ImIzMjhjNDcyLTRmMTktNDBmNy1hODM5LWRiMGY3ZTkwYmMyMyJ9.Opyr4jwFY_-F622FC-GdfIp6_Jal8B_ld_HzGnuUNZMX1Ig3OMcRGD3wUXO8ICg50KhVO3BvIK6W19LVRJEWFzy4B-bdh1Dld6nfFtPwy-Ie59L4p7860YO-Fa9HdAERh62KrO9GFImHuCmq4Z5P1SvBpbQid3b145r2CLTe6z6K1E-gN_AuDBnwVrYngVOsO4gIuh5ZKNHTss2f16YK1S6sJwxalGHJy3pz3dlv4-lWXSUnK1IAKKfrwiAL3Mcb4CCN5ghweSMrncKDC4Llt9XhUU6pHHhln28QLiHrw_e2sON-kjgeDzE-Kkas6Av26W_No6ftRMMV88Xk9VUIM_wtWMfxY7Oo9RTauEYy8VNxJ0_V8TwW4ETfTTElRijbwQ0Ofaz4PpQBoli-53bwyHOsKQXbF6N_WOmHE70VHMhjao_H0ywunmmHA_U4xTq6Lhq1zrPYTPxsN3PSB104eD-oEp3VBALv77TWCKEPMs9hiD4Vhl3kOgID_keRzWgXLEuVsMq8dKwVVBmSMZtzoWa6Sdc6-dSuZrD0A4uIEu5NgTVZL9OeAjDrTe6GtkQDyu78vNI1Z9YtZc01W9If3qZArZTaSjhiu3eUEofxafS9iIFb3XXt2XnxIrEGcJoy3Ge_yV_h66RwdPCriu5165fUMTVNFrLbgEEn6OR90Ro" status=302 text_status=Found took=8.159197ms
Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=info msg="started handling request" method=POST remote=89.72.196.109 request="/oauth2/token"
Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=error msg="An error occurred" error="crypto/bcrypt: hashedPassword is not the hash of the given password: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)
crypto/bcrypt: hashedPassword is not the hash of the given password: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"
Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=debug msg="Stack trace: \ngithub.com/ory-am/hydra/vendor/github.com/ory-am/fosite.init\n\t/home/travis/gopath/src/github.com/ory-am/hydra/vendor/github.com/ory-am/fosite/errors.go:21\ngithub.com/ory-am/hydra/client.init\n\t/home/travis/gopath/src/github.com/ory-am/hydra/client/manager_sql.go:230\ngithub.com/ory-am/hydra/cmd/server.init\n\t/home/travis/gopath/src/github.com/ory-am/hydra/cmd/server/helper_keys.go:43\ngithub.com/ory-am/hydra/cmd.init\n\t/home/travis/gopath/src/github.com/ory-am/hydra/cmd/version.go:30\nmain.init\n\t/home/travis/gopath/src/github.com/ory-am/hydra/main.go:41\nruntime.main\n\t/home/travis/.gimme/versions/go1.7.linux.amd64/src/runtime/proc.go:172\nruntime.goexit\n\t/home/travis/.gimme/versions/go1.7.linux.amd64/src/runtime/asm_amd64.s:2086"
Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=info msg="completed handling request" measure#web.latency=83694026 method=POST remote=89.72.196.109 request="/oauth2/token" status=401 text_status=Unauthorized took=83.694026ms

Most helpful comment

Not the user's password, but the password of your oauth2 client. The auth_code requires a client secret when exchanging the auth code for a token. You can however set the public flag to true in your client, then the client won't need a secret for that flow!

All 12 comments

Wrong password?

Jan 02 21:55:18 p1 hydra[13275]: time="2017-01-02T21:55:18+02:00" level=error msg="An error occurred" error="crypto/bcrypt: hashedPassword is not the hash of the given password: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)
crypto/bcrypt: hashedPassword is not the hash of the given password: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)"

Client authentication failed but I can't see any client authenticating. This isn't the client credentials grant, it's the authorization code.

( and I'm 100% the user's password is typed ok )

Not the user's password, but the password of your oauth2 client. The auth_code requires a client secret when exchanging the auth code for a token. You can however set the public flag to true in your client, then the client won't need a secret for that flow!

I believe the public flag is simply appending "public": true to the JSON body when you're creating the client at POST http://hydra/clients or by doing hydra clients create /* ... */ --is-public

The solution from gitter is to add "public":true to the client definition.

Any idea on how to add a "public":true to the client definition when the client is part of a remote website that is trying to auth to a local hydra server (do not that it works on other openid connect servers), or some override in hydra to imply "public":true?

Check the docs, section advanced iirc. Also, questions in chat or forum only please.

On 6. Sep 2018, at 05:50, OvermindDL1 notifications@github.com wrote:

Any idea on how to add a "public":true to the client definition when the client is part of a remote website that is trying to auth to a local hydra server (do not that it works on other openid connect servers), or some override in hydra to imply "public":true?

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

Check the docs, section advanced iirc.

I've been over those but I didn't find I way, I ended up mutating it on the nginx front-loader to get working.

Also, questions in chat or forum only please.

Ah very nice, where would those be located, what is the IRC room and on which IRC server? (I'm in console terminal 95% of my day so anything that works on the commandline is fine, I'm even using github right here and now from the commandline. :- ) )

It’s literally the first subsection in advanced: https://www.ory.sh/docs/guides/master/hydra/6-how-to/3-advanced#creating-a-public-oauth-20-client

Links to relevant forums and chatrooms as well as rules for opening issues are written in the issue template, the one you deleted when you opened this issue.

On 6. Sep 2018, at 17:53, OvermindDL1 notifications@github.com wrote:

Check the docs, section advanced iirc.

I've been over those but I didn't find I way, I ended up mutating it on the nginx front-loader to get working.

Also, questions in chat or forum only please.

Ah very nice, where would those be located, what is the IRC room and on which IRC server? (I'm in console terminal 95% of my day so anything that works on the commandline is fine, I'm even using github right here and now from the commandline. :- ) )

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

It’s literally the first subsection in advanced:

Hmm, I didn't make the connection, I don't know OAuth2 well, I'm setting this up for someone else to allow their other services to access their Discourse forum as the login source so I'm learning on the way. I do apologize for the noise!

Links to relevant forums and chatrooms as well as rules for opening issues are written in the issue template, the one you deleted when you opened this issue.

Ah, I didn't open the issue so I never saw it, issue templates don't appear in the comment on an issue. :-)

EDIT: Checked the issue template, but the chat appears to redirect to a Discord thing, what is the IRC room for a bridge, or is there a commandline client for Discord that I'm unable to find on a cursory Google search? Brow.sh makes a decent command-line browser for most sites but Discord is a bit too much for it... >.>

Ohhh I see, totally my bad then. I’m also not using GH (only mail) at the moment and didn’t see that it was an existing issue. Glad you got it resolved!

On 6. Sep 2018, at 18:39, OvermindDL1 notifications@github.com wrote:

It’s literally the first subsection in advanced:

Hmm, I didn't make the connection, I don't know OAuth2 well, I'm setting this up for someone else to allow their other services to access their Discourse forum as the login source so I'm learning on the way. I do apologize for the noise!

Links to relevant forums and chatrooms as well as rules for opening issues are written in the issue template, the one you deleted when you opened this issue.

Ah, I didn't open the issue so I never saw it, issue templates don't appear in the comment on an issue. :-)

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

In case anyone stumbles on this issue, as per the documentation, you would have to add the field "token_endpoint_auth_method": "none" to the client.

Was this page helpful?
0 / 5 - 0 ratings