🐛 Bug Report: Introspection Endpoint - Client id or secret not provided #28

New Issue

AtHeartEngineer · 2025-07-08T08:37:57-04:00

AtHeartEngineer commented

2025-07-08 08:37:57 -04:00

Originally created by @andreas-soroko on 6/29/2025

Reproduction steps

Create OIDC Client with secret
obtain an access token
try to do a request against the introspection endpoint
- with basic auth clientid:clientsecret as base64
- body with token=<accessToken>

Expected behavior

I would at least expect an error message that you can do something with, because clientId and secret were specified.

Actual Behavior

No matter what i do, i always get an error message.

i have an older oidc client defined there ( public client ) without secret, if i try to use this one i am getting: "Invalid client secret"
if i try to create a new client which looks similar to the client above, i get "Client id or secret not provided"

Version and Environment

Version: 1.5.0 (updated from 1.1.0 - only noticed it because an app started to log auth errors)

Example:

curl --location --request POST '<instance>/api/oidc/introspect' \
--header 'Authorization: Basic NzQzYjJjZTctNjcwZC00MTA0LTk3ODgtODhkN2VlMWM4ZDlhOm1KOHlZOW5CQm9oSHNOYmFHbXBBNmZnNmt6dzNSSUZO' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=<token>'

Log Output

Log

[GIN] 2025/06/29 - 13:32:27 | 400 |     320.247µs |     192.168.0.1 | POST     "/api/oidc/introspect"
Error #01: client id or secret not provided

Response

{
    "error": "Client id or secret not provided"
}

*Originally created by @andreas-soroko on 6/29/2025* ### Reproduction steps - Create OIDC Client with secret - obtain an access token - try to do a request against the introspection endpoint - with basic auth `clientid:clientsecret` as base64 - body with `token=<accessToken>` ### Expected behavior I would at least expect an error message that you can do something with, because clientId and secret were specified. ### Actual Behavior No matter what i do, i always get an error message. - i have an older oidc client defined there ( public client ) without secret, if i try to use this one i am getting: `"Invalid client secret"` - if i try to create a new client which looks similar to the client above, i get `"Client id or secret not provided"` ### Version and Environment Version: 1.5.0 (updated from 1.1.0 - only noticed it because an app started to log auth errors) ### Example: ```sh curl --location --request POST '<instance>/api/oidc/introspect' \ --header 'Authorization: Basic NzQzYjJjZTctNjcwZC00MTA0LTk3ODgtODhkN2VlMWM4ZDlhOm1KOHlZOW5CQm9oSHNOYmFHbXBBNmZnNmt6dzNSSUZO' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'token=<token>' ``` ### Log Output ### Log ``` [GIN] 2025/06/29 - 13:32:27 | 400 | 320.247µs | 192.168.0.1 | POST "/api/oidc/introspect" Error #01: client id or secret not provided ``` ### Response ```json { "error": "Client id or secret not provided" } ```

AtHeartEngineer closed this issue

2025-07-08 08:37:57 -04:00

AtHeartEngineer added the bug bug bug bug bug bug bug labels 2025-07-08 08:37:59 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/pocket-id#28