Identity Server: The client application is not known or is not authorized

Question

I am trying to connect an Angular 12 app to an already existing API instance on my.network. (I am unable to access the source code for the API.)

This API is secured with Identity Server which has a MS SQL back end which I can edit.

I am blocked from being able to exchange my code for a token with the message below:

Error message: " The client application is not known or is not authorized ."

Postman works so I know there's a way around this I'm just not familiar with Identity Server (having a LAMP background.) Is there a way to ok the client in the DB or a settings somewhere outside any compiled stuff?

Using a code flow I can post my client info and get a code back. (Initially I was presented with a CORS issue which I finally resolved by adding a record to the CORS exceptions table.)

For the token request in exchange for the code and other values, my http.post headers are:

 const authorizationData = 'Bearer ' + btoa(CLIENT_ID + ':' + receivedCode); let headers = new HttpHeaders(); headers = headers.set('Content-Type', 'application/x-www-form-urlencoded'); headers = headers.set('Authorization', authorizationData);

The body is:

 let body = { 'grant_type': 'authorization_code', 'redirect_uri': this.REDIRECT_URI, 'code': receivedCode, };

And the http.post that is getting the error response is:

 this.http.post<any>(validateTokenUrl, body, { headers }).subscribe((data: any) => { console.log(data); });

The Request headers are:

 POST /id/core/connect/token HTTP/1.1 Accept: application/json, text/plain, */* Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Authorization: Bearer ZjQ5YT... (NOTE: I trimmed this for easier display.) Connection: keep-alive Content-Length: 171 Content-Type: application/x-www-form-urlencoded Host: APIserverName.domain.com Origin: http://localhost:4200 Referer: http://localhost:4200/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows"

The Response headers are:

 Access-Control-Allow-Origin: http://localhost:4200 Content-Length: 26 Content-Type: application/json; charset=utf-8 Date: Thu, 01 Dec 2022 21:50:08 GMT Strict-Transport-Security: max-age=518400; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block

The provided body is:

 { "grant_type":"authorization_code", "redirect_uri":"http://localhost:4200", "code":"019c2748341d6efa143dd5af0381bae7", "client_secret":"1c66cba7-27cf-5......" (NOTE: I trimmed this for easier display.) }

I did try the below but saw no output anywhere.

 <system.diagnostics> <trace autoflush="true"> <listeners> <add name="TextWriter" type="System.Diagnostics.TextWriterTraceListener" initializeData="Trace.log" /> </listeners> </trace> </system.diagnostics>

Answer 1

When you get the authorization code, you need to exchange it for the real tokens using a request that looks like the one below in the picture.

The exact URL you can get from the discovery document endpoint.

One of your problems is that you pass the code in the authorization header:

Authorization: Bearer ZjQ5YT...