While making access token exchange call to Dex /userinfo API is giving 401 error

[Vaishnavi-BH]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Version

2.38.0

Storage Type

Kubernetes

Installation Type

Official Helm chart

Expected Behavior

When making access token exchange call to Dex, it should return new access token is response.

Actual Behavior

When making access token exchange call to Dex getting error 401 { "error": "access_denied"}. In Dex logs its showing
message "failed to verify subject token: oidc: error loading userinfo: 401 Unauthorized: "

Steps To Reproduce

1. Obtain access token from upstream IDP(Okta)
2. Making access(obtained access token from upstream) token exchange call to Dex to get new access token generated by Dex.
3. Return status code 401 with error {"error": "access_denied"}

Additional Information

Made getUserInfo to true in config file as its required to make access token exchange call.

Postman curl:
curl --location 'http://localhost:5556/dex/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Authorization: Basic bmV4dGdlbi1sb2dpbjpuZXh0Z2VuLWxvZ2lw'
--data-urlencode 'connector_id=okta'
--data-urlencode 'scope=profile groups openid email'
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:access_token'
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange'
--data-urlencode 'subject_token=eyJraWQiOiJ4QUtnNWl0RmpLOmp0aSI6IkFULnNFxxxxxxxxxxxxxxxxxxxxxxxx'
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token'

Configuration

expiry:
  idTokens: 60m
connectors:
- config:
    clientID: XXXXXXXXX
    clientSecret: XXXXXXX
    insecureEnableGroups: true
    insecureSkipEmailVerified: true
    getUserInfo: true
    issuer: https://dev-74515309.okta.com/oauth2/default
    redirectURI: http://localhost:5556/dex/callback
    scopes:
    - profile
    - email
    - groups
  id: okta
  name: okta
  type: oidc
issuer: http://localhost:5556/dex
logger:
  level: debug
  format: text
oauth2:
  skipApprovalScreen: true
  responseTypes: [code, token, id_token]
  grantTypes: [urn:ietf:params:oauth:grant-type:token-exchange, authorization_code , refresh_token, implicit]
storage:
  config:
    inCluster: true
  type: kubernetes
web:
  http: 0.0.0.0:5556
staticClients:
  - id: XXXXXX
    secret: XXXXXX
    name: Dex login Application
    public: true
    redirectURIs:
    - 'http://localhost:8082/callback'

Logs

2024-03-05 10:56:58.384	
time="2024-03-05T05:26:58Z" level=error msg="failed to verify subject token: oidc: error loading userinfo: 401 Unauthorized: "
2024-03-05 10:50:12.011	
time="2024-03-05T05:20:12Z" level=error msg="failed to verify subject token: oidc: error loading userinfo: 401 Unauthorized: "

[Vaishnavi-BH]

Hello Maintainers, Could please help with the issue?

[nabokihms]

Hello, @Vaishnavi-BH. It should be fixed by #3335

[Vaishnavi-BH]

Hello @nabokihms, there are two questions,

1. Does above fixed Token Exchange uses wrong tokenType for /userinfo request #3335 is deployed in existing release (v2.38.0) ? or there will be new release?
2. Does above fixed Token Exchange uses wrong tokenType for /userinfo request #3335 is also added to latest Helm charts version 0.16.0 ?

We are using latest Dex version v2.38.0 and Helm-chart version 0.16.0 still getting 401 { "error": "access_denied"}

If the changes are not added in the latest version, when we can expect new version/release with above changes?

[0x0dr1y]

Hey @Vaishnavi-BH,

the PR was merged but not released yet. You'll sadly need to wait for the next release (probably v2.39.0). The helm chart will be updated in a seperate release (probably 0.17.0). In case the helm chart isn't updated in time you can manually adjust the values to use the latest dex version.. once released. Hope that helps

[nabokihms]

The release of Dex v2.39.0 is planned for the next week.

[Vaishnavi-BH]

Hello @nabokihms, Can you please provide tentative date for Dex release v2.39.0?

[kumanav07]

Hi @MrDeerly / @nabokihms ,

Kindly let us know the approx date for the Dex v2.39.0 as we had some planned activities based on the same.

cc : @Vaishnavi-BH

[nabokihms]

It will be released somewhen this week, so if you want to arrange any plans, I'd suggest you aim at Monday 25th of March.

[0x0dr1y]

I guess this issue can be closed 👍

[yashg-op]

Hi guys @Vaishnavi-BH @nabokihms @0x0dr1y,

We urgently require to implement Dex with the OIDC connector. We have been facing this issue where it says:

Not found, invalid client_id ("")

Help would be greatly appreciated, couldn't find anything decisive anywhere, only open issues and unanswered discussions.

Below is the config:

connectors:
  - config:
      clientID: CLIENT_ID
      clientSecret: CLIENT_SECRET
      insecureEnableGroups: true
      issuer: https://dev-88813151.okta.com/oauth2/default
      redirectURI: https://dex.optiq.one/callback
      scopes:
        - profile
        - email
        - groups
    id: okta
    name: Okta
    type: oidc
issuer: https://dex.optiq.one/
logger:
  level: debug
oauth2:
  alwaysShowLoginScreen: true
storage:
  config:
    inCluster: true
  type: kubernetes
web:
  allowedOrigins:
    - '*'
  http: 0.0.0.0:5556