Oauth2 -Error - Unknown/invalid scope(s)

Hi @cblakeley, @cblakeley ,

this is the output:

  VAL.DBA.oauth_token (1ld, 'oidc', ('user.opendataclient' 'password' ))
  DB.DBA.app_reg_verify_error ('https://<IP>/oauth/verify.vsp?service=Auth%20Sog', ('service' 'Auth Sog' 'url' 'https://<IP>/oauth/verify.vsp?service=Auth%20Sog' 'scope' 'basic' 'realm' 'http://www.openlinksw.com/ontology/acl#DefaultRealm' 'proc' 'DB.DBA.app_reg_verify_success' 'eproc' 'DB.DBA.app_reg_verify_error' ), 'Auth Sog', '22023', 'Failed to connect to service \"Auth Sog\".')

Is blocked on this code:

      --no_c_escapes-
      --!
      --
      -- Services API - Success verify callback procedure
      --
      --/
      create procedure DB.DBA.app_reg_verify_success (
        in url varchar,
        in params any,
        in service varchar,
        in serviceId varchar,
        in profileData any,
        in oauthData any,
        in oauthSid varchar)
      {
        if ((registry_get ('__debug_oauth1.0') = '1') or (registry_get ('__debug_oauth2.0') = '1'))
          dbg_obj_princ ('DB.DBA.app_reg_verify_success (', url, params, service, serviceId, ')');
        declare _key, _secret varchar;
        declare exit handler for not found
        {
          return sprintf ('%s&v=no', url);
        };
        update OAUTH.DBA.APP_REG set A_VERIFIED = 1 where A_NAME = service;
        select A_KEY, A_SECRET into _key, _secret from OAUTH.DBA.APP_REG where A_NAME = service;
      
        return sprintf ('%s&v=yes', url);

@EdgarCap Please provide a Virtuoso console trace and a brower .har file like you have done previously. Without these it’s impossible to determine what is going wrong.

Issue registry_set ('__debug_oauth2.0', '1'); before running your test. This exposes additional OAuth-related debug output in the console trace.

/cc @hwilliams

Hi @cblakeley and @hwilliams,

I have send a mail with the information you ask.

With the debug option I can see only this lines:

  [THREAD 0x69b2420]:
  VAL.DBA.oauth_token (2ld, 'oidc', ('opendataclient' 'password' ))
  OAUTH2.DBA.dpop_create ('RSA', 'E1E80F34936411EEB1C7', 'https://<iptok>:8443/openam/oauth2/realms/root/realms/OpenData/access_token')
  DB.DBA.app_reg_verify_error ('https://<IP>/oauth/verify.vsp?service=Auth%20Sog', ('service' 'Auth Sog' 'url' 'https://<IP>/oauth/verify.vsp?service=Auth%20Sog' 'scope' 'basic' 'realm' 'http://www.openlinksw.com/ontology/acl#DefaultRealm' 'proc' 'DB.DBA.app_reg_verify_success' 'eproc' 'DB.DBA.app_reg_verify_error' ), 'Auth Sog', '22023', 'Failed to connect to service \"Auth Sog\".')

@EdgarCap

With the debug option I can see only this lines.

There should be much more debug output shown on the Virtuoso console than you’ve provided. Are you sure the registry setting has been set correctly using:
registry_set ('__debug_oauth2.0', '1');

You can verify this by issuing
select registry_get ('__debug_oauth2.0');

In the .har file you sent me, I see URLs of the form:
https://<ip>/...
Have you manually edited the har file to replace hostnames with “<ip>”? These don’t look like valid URLs.

Please send the full Virtuoso console debug output and a screenshot or details of the OAuth service binding configured in https://{virtuoso host}/oauth/admin.vsp

/cc @hwilliams

Hi @cblakeley and @hwilliams ,

I have used the last version of VAD send me by @hwilliams Changing Default SPARQL ENDPOINT - #9 by hwilliams

Here the status:

      SQL> select registry_get ('__debug_oauth2.0');
      registry_get
      LONG VARCHAR
      _______________________________________________________________________________
      
      1
      
      1 Rows. -- 1 msec.

I edited the script setting my real to the variable ip.
I would provide you more info you have required.

@EdgarCap: In the minimal console output you provided, I see:
OAUTH2.DBA.dpop_create ('RSA', 'E1E80F34936411EEB1C7', 'https://<iptok>:8443/openam/oauth2/realms/root/realms/OpenData/access_token')

Please check and confirm that https://<iptok>:8443/openam/oauth2/realms/root/realms/OpenData/access_token is the correct URL for the token endpoint of your target OAuth server. Please also disable DPoP support in the OAuth binding defined in https://{virtuoso host}/oauth/admin.vsp, by setting the selection to ‘None’. Uncheck the ‘Use Code Verify (PKCE)’ checkbox, then retry the ‘Verify’ button. It may be the case that ForgeRock IAM supports neither DPoP nor PKCE.

/cc @hwilliams

Hi @cblakeley and @hwilliams finally I found the problem, the curl send to IAM gives an error:

  C:>curl "https://iam.it:8443/openam/oauth2/realms/root/realms/OpenData/authorize?redirect_uri=https://<ip>/val/api/thirdparty_callback&client_id=xxxxxxx.opendataclient&state=85ee872d7b81b5b5902a2f4926460ecf&response_type=code&scope=openid^%^20email^%^20profile&nonce=c20964d3bf5028ca156c06ef97319505" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" -H "Accept-Encoding: gzip, deflate, br" -H "Accept-Language: it-IT,it;q=0.9" -H "Connection: keep-alive" -H "Cookie: OAUTH_REQUEST_ATTRIBUTES=eyJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczovLzI2LjAuMTg5LjE4OC92YWwvYXBpL3RoaXJkcGFydHlfY2FsbGJhY2siLCJzdGF0ZSI6Ijg1ZWU4NzJkN2I4MWI1YjU5MDJhMmY0OTI2NDYwZWNmIiwibm9uY2UiOiJjMjA5NjRkM2JmNTAyOGNhMTU2YzA2ZWY5NzMxOTUwNSIsImNsaWVudF9pZCI6ImMzNzg2ZmExYTBiZWM0OGYub3BlbmRhdGFjbGllbnQifQ==; amlbcookie=01; SIAMTHS=dwX5S3EfsAH9YIxlE2jhpqkD9g8.*AAJTSQACMDIAAlNLABwwRUcxNGJJbWNBSjVQRjA5aXpkSnoyRkNuMDA9AAR0eXBlAANDVFMAAlMxAAIwMQ..*" -H "Referer: https://iamt7.it:8443/openam/XUI/?realm=/OpenData&goto=https://iam.it::8443/openam/oauth2/realms/root/realms/OpenData/authorize?redirect_uri^%^3Dhttps://2<ip>/val/api/thirdparty_callback^%^26client_id^%^3Dc3786fa1a0bec48f.opendataclient^%^26state^%^3D85ee872d7b81b5b5902a2f4926460ecf^%^26response_type^%^3Dcode^%^26scope^%^3Dopenid^%^2520email^%^2520profile^%^26nonce^%^3Dc20964d3bf5028ca156c06ef97319505" -H "Sec-Fetch-Dest: document" -H "Sec-Fetch-Mode: navigate" -H "Sec-Fetch-Site: same-origin" -H "Sec-Fetch-User: ?1" -H "Upgrade-Insecure-Requests: 1" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" -H "sec-ch-ua: ""Not_A Brand"";v=""8"", ""Chromium"";v=""120"", ""Google Chrome"";v=""120""" -H "sec-ch-ua-mobile: ?0" -H "sec-ch-ua-platform: ""Windows"""
  <!doctype html><html lang="en"><head><title>HTTP Status 400 – Bad Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 – Bad Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the request target [&#47;openam&#47;oauth2&#47;realms&#47;root&#47;realms&#47;OpenData&#47;authorize?redirect_uri=https:&#47;&#47;26.0.189.188&#47;val&#47;api&#47;thirdparty_callback&amp;client_id=c3786fa1a0bec48f.opendataclient&amp;state=85ee872d7b81b5b5902a2f4926460ecf&amp;response_type=code&amp;scope=openid^%^20email^%^20profile&amp;nonce=c20964d3bf5028ca156c06ef97319505]. The valid characters are defined in RFC 7230 and RFC 3986</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).</p><p><b>Exception</b></p><pre>java.lang.IllegalArgumentException: Invalid character found in the request target [&#47;openam&#47;oauth2&#47;realms&#47;root&#47;realms&#47;OpenData&#47;authorize?redirect_uri=https:&#47;&#47;26.0.189.188&#47;val&#47;api&#47;thirdparty_callback&amp;client_id=c3786fa1a0bec48f.opendataclient&amp;state=85ee872d7b81b5b5902a2f4926460ecf&amp;response_type=code&amp;scope=openid^%^20email^%^20profile&amp;nonce=c20964d3bf5028ca156c06ef97319505]. The valid characters are defined in RFC 7230 and RFC 3986
          org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:490)
          org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:261)
          org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
          org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:887)
          org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1684)
          org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
          java.base&#47;java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
          java.base&#47;java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
          org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
          java.base&#47;java.lang.Thread.run(Thread.java:834)
  </pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.43</h3></body></html>

I think part of the request is not good: “scope=openid^%^20email^%^20profile&nonce=c20964d3bf5028ca156c06ef97319505”

Curl is working propely with this parameter (without scope and nonce):

    C:>curl "https://iamt.it:8443/openam/oauth2/realms/root/realms/OpenData/authorize?redirect_uri=https://ip/val/api/thirdparty_callback&client_id=xxxx.opendataclient&state=85ee872d7b81b5b5902a2f4926460ecf&response_type=code"

Is ok, return code is 0

Is like the problem we encountered in the previous case I post before: Error of the Callback of third party Oauth

  -- scope request parameter is not required for authorization code grant
  -- if (not isnull (scope))
  --   params := params || sprintf ('&scope=%U', scope);

Let me know if everything is clear.
Regards.

@EdgarCap: Could this be an error in your test curl command, rather than an error in the OAuth binding defined in https://{virtuoso_host}/oauth/admin.vsp?

You can check the scopes supported by your OAuth server by looking at the binding in {virtuoso_host}/oauth/admin.vsp. Look at the JSON in the “Options (RP/ASmetadata)” tab for the identity provider configuration.

{"issuer":"https://linkeddata.uriburner.com", "authorization_endpoint":"https://linkeddata.uriburner.com/OAuth2/authorize", "token_endpoint":"https://linkeddata.uriburner.com/OAuth2/token", "userinfo_endpoint":"https://linkeddata.uriburner.com/OAuth2/userinfo", "registration_endpoint":"https://linkeddata.uriburner.com/OAuth2/register", "end_session_endpoint":"https://linkeddata.uriburner.com/OAuth2/logout", "jwks_uri":"https://linkeddata.uriburner.com/OAuth2/keys", "id_token_signing_alg_values_supported":["RS256",
"ES256"], "dpop_signing_alg_values_supported":["RS256",
"ES256"], "scopes_supported":["openid","profile","email","address","phone","webid"], ...

Please check that the entries in the array for the “scopes_supported” member are not corrupted as suggested by your curl test. (You could paste the JSON into the online JSON viewer Online JSON Viewer and Formatter) Please provide us with a copy of this JSON.

If the problem persists then we need the following information from you:
Full Virtuoso console debug output and a screenshot or details of the OAuth service binding configured in https://{virtuoso host}/oauth/admin.vsp.
We’ve asked for this several times. Without this diagnostic info, we won’t be able to diagnose the problem.

/cc @hwilliams

Hi @cblakeley , @hwilliams the curl was obtain direcly from the GET via Chrome feature, so I did not change the original GET for the test, the GET as I sad contains:

“scope=openid^%^20email^%^20profile&nonce=c20964d3bf5028ca156c06ef97319505”

This is the original GET with “SPACES” in scope parameter:

As I told in the this post Error of the Callback of third party Oauth - #18 by EdgarCap the product (ForgeRock IAM) for this call (authorize) do not accept/need scope parameter.

Here some info you have required:

image519×686 44.1 KB

The text box “Options (RP/ASmetadata)” is empty.

The others informations you have required:

    [THREAD 0x69401e0]:
    OAUTH2.DBA.check_authentication (('Content' 0 ), ('GET /oauth/admin.vsp HTTP/1.1\r\n' 'Host: 26.0.189.188\r\n' 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0\r\n' 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n' 'Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3\r\n' 'Accept-Encoding: gzip, deflate, br\r\n' 'Referer: https://<ip>/oauth/admin.vsp\r\n' 'Connection: keep-alive\r\n' 'Cookie: sid=60a4ec4c280a7b107327da054521f759\r\n' 'Upgrade-Insecure-Requests: 1\r\n' 'Sec-Fetch-Dest: document\r\n' 'Sec-Fetch-Mode: navigate\r\n' 'Sec-Fetch-Site: same-origin\r\n' 'Sec-Fetch-User: ?1\r\n' ))
    VAL.DBA.oauth_token (2ld, 'oidc', ('xxxx.opendataclient' 'password' ))
    DB.DBA.app_reg_verify_error ('https://<ip>/oauth/verify.vsp?service=Auth', ('service' 'Auth' 'url' 'https://<ip>/oauth/verify.vsp?service=Auth' 'scope' 'basic' 'realm' 'http://www.openlinksw.com/ontology/acl#DefaultRealm' 'proc' 'DB.DBA.app_reg_verify_success' 'eproc' 'DB.DBA.app_reg_verify_error' ), 'Auth', '22023', 'Failed to connect to service \"Auth\".')

Regards.

Hi @cblakeley, @hwilliams I test also the CURL setting the parameter scope=openid and is working properly, so the problem is in the scope parameter value.

Regards.

@EdgarCap: I’m wondering whether the scopes being returned by your IAM OAuth/OIDC server include embedded control characters, which might explain the scope
scope=openid^%^20email^%^20profile&nonce=...
in your browser trace. Using Virtuoso as the IdP, my browser trace shows
scope=openid%20profile%20email%20address%20phone%20webid&nonce=...

Please issue
select VAL.DBA.oauth_scope(VAL.DBA.oauth_options (A_OPTIONS)) from OAUTH.DBA.APP_REG where A_NAME = 'Auth'
(Assuming the service name in https://{virtuoso_host}/oauth/admin.vsp is ‘Auth’.) What scopes are returned?

Please also try
curl -iLk https://{iam host}/.well-known/openid-configuration
and send us the results.

/cc @hwilliams

Hi @cblakeley and @hwilliams,

the result of the query you ask me:

  Query result:
  oauth_scope
  ANY
   openid email profile

So there is “openid email profile”…

I must update the DB so I can use just “opeind” ?

The CURL gives me a 404 code, I am asking my IAM team to give me, if there is, the right end-point.

Regards.