I am getting issue while integration external provider i.e Google with Thinktecture identity server v3 .I am getting following error: "The client application is not known or is not authorized." Do any one have any idea about this error.
Asked
Active
Viewed 6,246 times
5 Answers
16
@Whoever, it looks like you have a mismatch on the RedirectUri values in the client and server.
The RedirectUri property in the client startup defines the URI that will be called called after authentication by the identity server. The RedirectUris in the server config defines the listed of allowed URIs that can request authentication. The client startup RedirectUri must therefore be included in the server's RedirectUris list.
Looks like your client's RedirectUri is currently pointing at the server's URI. Is your client running on port 46289? If so, try changing the value of RedirectUri property in the client startup to https://localhost:46289. You might also want to try modifying the server's redirectUris value to use https rather than http, assuming that your client really is accessible over https.
Server client store:
public static IEnumerable<Client> Get()
{
return new[] {
new Client {
Enabled = true,
ClientName = "MVC Client",
ClientId = "mvc",
Flow = Flows.Implicit,
RedirectUris = new List<string>{
"https://localhost:46289/" // client home url
Client startup:
public void Configuration(IAppBuilder app)
{
ConfigureAuth(app);
app.UseCookieAuthentication(new CookieAuthenticationOptions {
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions {
Authority = "https://localhost:44300/identity",
ClientId = "mvc",
RedirectUri = "https://localhost:46289/", //must be in server's Client.RedirectUris
ResponseType = "id_token",
SignInAsAuthenticationType = "Cookies"
});
BinaryMash
- 378
- 1
- 7
-
Tried both, changing the redirect uri and https, still same error. Also noticed when adding the client related nuget package, it made lots of modification that wasn't in the Thinktecture downloaded MVC sample. Not sure why they put server and client code in the same sample, I wasn't even sure where the server ends and client begins, maybe missed something important elsewhere. Guess I have to go back the the even simpler example without MVC to start over again. Thanks for your help. – Whoever Mar 02 '15 at 20:52
-
Have you looked at the sample at http://identityserver.github.io/Documentation/docs/overview/simplestOAuth.html? This has a self hosted server, a web api and a console within the same solution. I _think_ I arrived at my current sample (a self hosted server, and an mvc website in IIS, each within their own .sln) by pretty much picking one project from each of the two "Getting Started" samples listed at http://identityserver.github.io/Documentation/docs/, then doing some minor tweaks, eg turning off SSL on the server side, and adjusting the URIs in the server/client config as described above. – BinaryMash Mar 03 '15 at 22:26
-
Yes, I just finished that one step by step. It has server, web api and client. But in the MVC example, it jumps from server, to add cookie and openidconnect package, then add [authorize] to about controller. I couldn't tell where the server ends and client begins. I leave the server part in one empty project, then created a separate MVC project and start from the cookie/openid step and got that client unknown error. Not sure if I understand the whole thing correctly. I'm now going back to check the web hosted server sample, and maybe some individual client. Seems a lot to learn. – Whoever Mar 04 '15 at 04:20
-
@Whoever - did you ever arrive at a solution with this? Just experiencing the same issue. – Matt Woodward Sep 14 '15 at 10:31
-
@MattWoodward Has been a while, forgot the exact situation when I asked this. Did you run into this with google integration particular, or just just trying to split id server from client? – Whoever Sep 14 '15 at 17:54
-
@Whoever Just splitting up the server & client at this point, with an empty mvc client with a simple [Authorize] check on the about page. Everything appears to be running ok (under SSL) but the call for authorization is where the issue pops up. I've checked all the points above (i.e. Redirect Uris, client ID), but no joy. Note: This is with UseOpenIdConnectAuthentication and UseCookieAuthentication setup on the Mvc client – Matt Woodward Sep 14 '15 at 23:46
-
@Whoever found my issue! I was missing the scopes for the client under both the Mvc app and on the server doh! I've posted my resolution below to hopefully help anyone else in the same boat! – Matt Woodward Sep 15 '15 at 06:16
6
I had this problem. The RedirectUris entry in the servers almost matched the RedirectUri in the client Startup.Configuration; all but for the trailing slash.
https://localhost:46289/
is not the same as
https://localhost:46289
When I added the slash, my login page appeared.
Skip Saillors
- 744
- 13
- 27
-
-
The match is an exact string match (case insensitive) rather than anything more clever using the Uri class! – Lukos Feb 02 '16 at 11:39
2
I've been working through the same issue but just authenticating against Identity Server (Google is next to tackle on my list). I saw the issue because the Scopes for the client weren't setup on both the Mvc and Server. To resolve the issue I added the Scopes into the Startup class (of the Mvc client) as follows:
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = "https://localhost:44301",
Scope = "openid profile email roles",
ClientId = "mvc",
RedirectUri = "https://localhost:44300/",
ResponseType = "id_token",
SignInAsAuthenticationType = "Cookies"
});
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
}
}
..and also in the server's list of clients:
public static class Clients
{
public static IEnumerable<Client> Get()
{
return new[]
{
new Client
{
Enabled = true,
ClientName = "MVC Client",
ClientId = "mvc",
Flow = Flows.Implicit,
RequireConsent = true,
RedirectUris = new List<string>
{
"https://localhost:44300/"
},
PostLogoutRedirectUris = new List<string>
{
"https://localhost:44300/"
},
AllowedScopes = new List<string> {
Constants.StandardScopes.OpenId,
Constants.StandardScopes.Profile,
Constants.StandardScopes.Email,
Constants.StandardScopes.Roles
}
}
};
}
}
In relation to the OP's question with Google, it may be worth checking your scopes correlate with those supported by your app setup within the Google Developer Console too. There's a good SO post on supported scopes at Where can I find a list of scopes for Google's OAuth 2.0 API?
Hope that helps :)
Community
- 1
- 1
Matt Woodward
- 1,941
- 20
- 24
0
Looks like client(application in which you want to have a possibility to log in with Google) is not registered in the client store. Could you, please, show your Startup Configuration?
Pavlo
- 13
- 3
-
Not my question, but I do have the same error. Pasting my code below, since comment can't hold it. – Whoever Feb 27 '15 at 22:56
0
In my case, I was not careful and was changing the values in Startup.cs under UseOpenIdConnectAuthentication (which are what the integrated web application uses to connect to itself) when I should have been changing the values in Clients.Get(), which are the allowed clients that the server has configured.
Once I fixed those, I was able to separate client and server into two applications with only some NuGet packages and UseCookieAuthentication/UseOpenIdConnectAuthentication in the client application.
You can get the error if the client is not enabled, redirect uri does not match one in the list (uses non case-sensitive exact match), if the scopes requested are not in the allowed scope list, if the flow requested does not match what is allowed (you can only have one per client) and/or if the client ids do not match.
Lukos
- 1,826
- 1
- 15
- 29