Identityserver4: Identity server /connect/token is returning unauthorized client

Created on 27 Sep 2017 · 7Comments · Source: IdentityServer/IdentityServer4

I am using .net core 2.0 identity server 4 approach

I am trying to get access token from identity server using postman.

Postman post request

x-www-form-urlencode post

client_id:ASAP-Mobile
client_secret:ASAP@Mobile
response_type:code id_token
scope:openid profile aspa-api offline_access
grant_type:password

Client configuration

 new Client
                {
                    ClientId = "ASAP-Mobile",
                    ClientName = "ASAP Mobile Client",
                    AllowedGrantTypes = GrantTypes.Hybrid,                    
                    //Used to retrieve the access token on the back channel.
                    ClientSecrets =
                    {
                        new Secret("ASAP@Mobile".Sha256())
                    },
                    RedirectUris = { $"{clientsUrl["ASAPMobileUrl"]}" },
                    RequireConsent = false,
                    PostLogoutRedirectUris = { $"{clientsUrl["ASAPMobileUrl"]}/Account/Redirecting" },
                    AllowedCorsOrigins = { "http://asapmobile" },
                    AllowedScopes = new List<string>
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        IdentityServerConstants.StandardScopes.OfflineAccess,
                        "asap-api",
                    },
                    //Allow requesting refresh tokens for long lived API access
                    AllowOfflineAccess = true
                },

```
Here is log

Start token request validation
dbug: IdentityServer4.Validation.TokenRequestValidator[0]
Start resource owner password token request validation
fail: IdentityServer4.Validation.TokenRequestValidator[0]
ASAP-Mobile not authorized for resource owner flow
fail: IdentityServer4.Validation.TokenRequestValidator[0]
{
"ClientId": "ASAP-Mobile",
"ClientName": "ASAP Mobile Client",
"GrantType": "password",
"Raw": {
"client_id": "ASAP-Mobile",
"client_secret": "REDACTED",
"response_type": "code id_token",
"scope": "openid profile aspa-api offline_access",
"grant_type": "password"
}
}

Here is Screenshot

Source

rahulmistry25425

Most helpful comment

@GuerrillaCoder make sure you are using AllowedGrantTypes = GrantTypes.ResourceOwnerPassword for client, and must be a same Scope as defined in your client scopes

rahulmistry25425 on 15 Dec 2017

👍4 ❤1

All 7 comments

You set the allowed grant type to be hybrid - but you are using the password grant type in postman. Hence the error.

leastprivilege on 27 Sep 2017

@leastprivilege available grant types are authorization_code, client_credentials, password, refresh_token
so what should i use in grant type for hybrid?

rahulmistry25425 on 27 Sep 2017

👍4

I have same issue, did you manage to resolve it?

GuerrillaCoder on 13 Dec 2017

@GuerrillaCoder make sure you are using AllowedGrantTypes = GrantTypes.ResourceOwnerPassword for client, and must be a same Scope as defined in your client scopes

rahulmistry25425 on 15 Dec 2017

👍4 ❤1

@rahulmistry25425 Thanks. My issue was that and I had to make the callback URLS match my local callback url.

GuerrillaCoder on 26 Dec 2017

👍1

I am facing the same issue of "unauthorized client". I ahave absolutely no clue in terms of what needs to be done to fix the issue. Can someone please help.

I have AllowedGrantTypes = implicit