Bug 2111393

Summary: authenticating against external IdP services okta (native app) with OAuth client secret failed
Product: Red Hat Enterprise Linux 8 Reporter: Filip Dvorak <fdvorak>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.7CC: abokovoy, aboscatt, amore, atikhono, frenaud, ipa-qe, mpolovka, pbrezina, rcritten, tscherf
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.8.1-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2111388
: 2152883 (view as bug list) Environment:
Last Closed: 2023-05-16 09:07:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2111388    
Bug Blocks: 2152883    

Description Filip Dvorak 2022-07-27 08:33:59 UTC 
+++ This bug was initially created as a clone of Bug #2111388 +++

Description of problem:
Authentication agains external provider Okta failed when the OAuth client secret was used (ipa idp-add --secret)

Version-Release number of selected component (if applicable):

# rpm -q libverto krb5-server ipa-server sssd-idp
RHEL-8.7.0-20220722.0
libverto-0.3.2-2.el8.x86_64
krb5-server-1.18.2-21.el8.x86_64
ipa-server-4.9.10-4.module+el8.7.0+15926+daa9f08b.x86_64
sssd-idp-2.7.3-1.el8.x86_64


Steps to Reproduce:
1.configuration of ipa-server:
hostnamectl set-hostname master1.testrelm.test
dnf install -y ipa-server-dns
ipa-server-install -a Secret123 -p Secret123 --setup-dns --auto-forwarders -n testrelm.test -U -r TESTRELM.TEST --no-dnssec-validation

add user for okta idp
echo Secret123 | kinit admin
ipa idp-add oktatest --client-id=<client_id> --provider=okta --base-url=trial-8739330.okta.com --secret
ipa user-add oktausertest --first=okta --last=userokta --user-auth-type=idp --idp-user-id="fdvorak" --idp=oktatest
Note: client ID and client secret are from okta web application

The okta native application has the following settings:
Client authentication: Client secret
Application type: Native
Grant type: Authorization Code, Interaction Code, Device authorization
Immediate app access with Federation Broker Mode: Enabled

2. kinit -n -c ./ccache

Actual results:
# kinit -T ./ccache oktausertest
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Expected results:
"kinit -T <ccache> oktausertest" should pass

Additional info:
The same scenario without secret (Client authentication:none in okta native application) works.
Logs were attached.
Comment 2 Alexander Bokovoy 2022-07-27 08:47:23 UTC 
downstream issue for https://github.com/SSSD/sssd/issues/6146
Comment 10 Alexey Tikhonov 2022-09-15 18:20:38 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6311
Comment 11 Alexey Tikhonov 2022-09-16 13:43:32 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6311

* `master`
    * 1a475e0c537c905c80406ceb88c7b34e6400bc40 - oidc_child: add --client-secret-stdin option
    * 5ed7670766483040211713f8182510775c76b962 - oidc_child: increase wait interval by 5s if 'slow_down' is returned
    * a4d4617efeff871c5d2762e35f9dec57fa24fb1a - oidc_child: use client secret if available to get device code
    * 12d5c6344ee304c1f3bc155a76ab37fcd20e78cb - oidc_child: escape scopes
Comment 28 errata-xmlrpc 2023-05-16 09:07:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2986