I have configured tls_client_auth as per the instructions for FRAM 7.2.0, but it fails with
{
"error_description": "Client authentication failed",
"error": "invalid_client"
}
when I send
curl --location --request POST 'https://fram.connectid.darkedges.com/openam/oauth2/access_token' \
--header 'X-SSL-CERT: -----BEGIN%20CERTIFICATE-----%0AMIIEnjCCA4agAwIBAgIUTBokdwRUwdhoDg9ybfm9NU5%2Fjo4wDQYJKoZIhvcNAQEL%0ABQAwSTESMBAGA1UEChMJRm9yZ2VSb2NrMQ0wCwYDVQQLEwRJREFNMSQwIgYDVQQD%0AExtGb3JnZVJvY2sgSURBTSBJbnRlcm1lZGlhdGUwHhcNMjIxMDE0MjIzMTE4WhcN%0AMjMxMDE0MjIzMTQ4WjBjMQswCQYDVQQGEwJBVTERMA8GA1UECBMIVmljdG9yaWEx%0AEjAQBgNVBAcTCU1lbGJvdXJuZTEtMCsGA1UEAxMkNTkyMTUzOGItOWM1Mi00ODkw%0ALWI0YzAtMmFmNmJiZDE3ODllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC%0AAQEA1aJ%2FhTSow8O69RS%2FHoM0gnzvSpKXTtyZUr52Zx5%2F%2BPrKDq%2BR99cOAe4biZWI%0ApQwW5PXpX0PvcyI1qlNEp6szBZ5RBjlGFvqB5IdbLUiejcWvohbwYBm7NbvmqNuv%0AT47JIw81yzr38oue2ZFLv10M5Xehbcf4RPekdSfAN6OEhJ%2BaE7%2FcXoFGbs8jO0Mr%0AQMdOBUB5KfcNczISkZzVeAzCPgXGw3CHj9qXSA2vpU%2Fow1cBArCj2ayhjh2P%2F1Wq%0AniG3%2FSNLu%2B6BhSHmfmEZunWbYwo4cag0nINq1sScvRB%2BYK45v3d9%2Be4BHK44Bfe%2B%0AQGc7zlbjlvZeyO469l1Oe1VJDwIDAQABo4IBYjCCAV4wDgYDVR0PAQH%2FBAQDAgOo%0AMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUVRMEK0ii%0AAXfEjcdX%2Fa3U3T3YzXcwHwYDVR0jBBgwFoAUSkAaDYPBgQ8AXA5tBokaAvFJrkEw%0AYgYIKwYBBQUHAQEEVjBUMFIGCCsGAQUFBzAChkZodHRwczovL3ZhdWx0LmludGVy%0AbmFsLmRhcmtlZGdlcy5jb20vdjEvZm9yZ2Vyb2NrX2lkYW1faW50ZXJtZWRpYXRl%0AL2NhMC8GA1UdEQQoMCaCJDU5MjE1MzhiLTljNTItNDg5MC1iNGMwLTJhZjZiYmQx%0ANzg5ZTBYBgNVHR8EUTBPME2gS6BJhkdodHRwczovL3ZhdWx0LmludGVybmFsLmRh%0AcmtlZGdlcy5jb20vdjEvZm9yZ2Vyb2NrX2lkYW1faW50ZXJtZWRpYXRlL2NybDAN%0ABgkqhkiG9w0BAQsFAAOCAQEAKYCodncCin3hFDh%2BHWutE79aN4bRmy4hloGe6iw1%0AtnGFYeELnHnyrwqahB4LRdiE%2Fet0%2Fwvp9ML7chKkj3KBDrwkIeZLiBSHcAYPRdKs%0ACIm1QrXfcmDUpePdZuhw5Jvj9K0n6zDj01l7o7oxcN0iM4CfY9hBnRPQW4%2BsX%2BdQ%0A%2BK4jXJmUKhv1FB35frNlZFPQErsv9hvgheKjlBx0Uod8YWZQIbK%2FNiuT7nwKYffG%0A7IiwvYkIHCk8UHIROAQZbyWdNCemIqEHgD0rjGjrziBs5Haeq9T7iKUCmsy8aPbY%0AzWXx22Q1O8HepjJ4u23XyRj6eE8HmKY8naVbiqTJcyygVw%3D%3D%0A-----END%20CERTIFICATE-----' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=5921538b-9c52-4890-b4c0-2af6bbd1789e' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'scope=profile' \
--data-urlencode 'response_type=token'
I believe it is finding the correct secret mapping as I have enabled otherlogging
debug logging and can see it find the secret correctly. I have entered the SubjectDN as CN=5921538b-9c52-4890-b4c0-2af6bbd1789e,L=Melbourne,S=Victoria,C=AU
but there is nothing in the logs that would indicate any issues. I can see it finds the trusted header as that shows up as found in the logs,
Any ideas on how to trouble shoot this?
Edit:
Found this when OAuth2Provider
logging is enabled and set to Debug
OAuth mTLS authentication: set of trust anchors for client 5921538b-9c52-4890-b4c0-2af6bbd1789e is empty
Nicholas