Jon @ Posit
Jon @ Posit•5mo ago

Device Authorization with Okta using zitadel/oidc

Hello! I'm attempting to use zitadel/oidc for device authorization against Okta, but I'm getting back this error from DeviceAuthorization: 
ErrorType=invalid_request Description=The client_assertion_type is invalid.
ErrorType=invalid_request Description=The client_assertion_type is invalid.
This appears to be due to the client_assertion fields being included in the request even when empty. If I modify the fields in https://github.com/zitadel/oidc/blob/main/pkg/oidc/token_request.go#L243-L244 to include the omitempty attribute, device authorization against Okta works. Is this a known issue, or is there a known workaround? I'm happy to create an issue and a PR if that helps.
7 Replies
Rajat Singh
Rajat Singh•5mo ago
Hey @Jon @ Posit good day. Can you please share your curl request here?. Thanks
Jon @ Posit
Jon @ PositOP•5mo ago
Here's a curl example: Starting with an Okta test application: 
export ISSUER=https://<okta-url>.oktapreview.com/oauth2/default
export ISSUER=https://<okta-url>.oktapreview.com/oauth2/default
This is what works: 
curl --request POST \
  --url $ISSUER/v1/device/authorize \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=0oa2e0pp4hsQlHugh0h8' \
  --data-urlencode 'scope=openid profile offline_access'

{"device_code":"e9694547-72d4-420c-9e02-4dca650d4176","user_code":"XTDKFLXF","verification_uri":"https://<url>.oktapreview.com/activate","verification_uri_complete":"https://<url>.oktapreview.com/activate?user_code=XTDKFLXF","expires_in":600,"interval":5}
curl --request POST \
  --url $ISSUER/v1/device/authorize \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=0oa2e0pp4hsQlHugh0h8' \
  --data-urlencode 'scope=openid profile offline_access'

{"device_code":"e9694547-72d4-420c-9e02-4dca650d4176","user_code":"XTDKFLXF","verification_uri":"https://<url>.oktapreview.com/activate","verification_uri_complete":"https://<url>.oktapreview.com/activate?user_code=XTDKFLXF","expires_in":600,"interval":5}
But if you add the client assertion fields like the zitadel/oidc library does, it fails: 
curl --request POST \
  --url $ISSUER/v1/device/authorize \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=0oa2e0pp4hsQlHugh0h8' \
  --data-urlencode 'scope=openid profile offline_access' \
  --data-urlencode 'client_assertion_type=' \
  --data-urlencode 'client_assertion='

{"error":"invalid_request","error_description":"The client_assertion_type is invalid."}
curl --request POST \
  --url $ISSUER/v1/device/authorize \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=0oa2e0pp4hsQlHugh0h8' \
  --data-urlencode 'scope=openid profile offline_access' \
  --data-urlencode 'client_assertion_type=' \
  --data-urlencode 'client_assertion='

{"error":"invalid_request","error_description":"The client_assertion_type is invalid."}
I wonder - are the client_assertion and client_assertion_type fields even needed in this struct? It looks like it's used only for device auth and the RFC https://www.rfc-editor.org/rfc/rfc8628 doesn't even mention these fields. On the other hand, this also feels like an Okta bug, but I don't see harm in supressing the fields if they're empty.
Rajat
Rajat•5mo ago
hey @Jon @ Posit thnaks for raising this, can you pls modify the struct to include the omitempty tag for these fields and see it it helps you to proceed?. this is a workaround if it helps, I will look for more information on it meanwhile
Jon @ Posit
Jon @ PositOP•5mo ago
Yes, I've already tested after compiling with the omitempty attribute. It fixes the problem and device auth with Okta works. I've already forked the repository, so let me know if you'd like me to submit a PR. I'm happy to do that if it helps. And thanks for your help!
Rajat
Rajat•5mo ago
hi @Jon @ Posit yes please, make sure to be very descriptive in the issue so it can help our engineers to review it better. Looking forward to it 🙂
Jon @ Posit
Jon @ PositOP•5mo ago
I've created a PR, which I linked to an issue (bug report) I also created. https://github.com/zitadel/oidc/pull/745 and https://github.com/zitadel/oidc/issues/744.
Rajat
Rajat•5mo ago
thanks @Jon @ Posit

Did you find this page helpful?