🐛 Bug Report: Introspection Endpoint - Client id or secret not provided #148

New Issue

OVERLORD · 2025-10-07T23:55:14+03:00

OVERLORD commented

2025-10-07 23:55:14 +03:00

Originally created by @andreas-soroko on GitHub.

Reproduction steps

Create OIDC Client with secret
obtain an access token
try to do a request against the introspection endpoint
- with basic auth clientid:clientsecret as base64
- body with token=<accessToken>

Expected behavior

I would at least expect an error message that you can do something with, because clientId and secret were specified.

Actual Behavior

No matter what i do, i always get an error message.

i have an older oidc client defined there ( public client ) without secret, if i try to use this one i am getting: "Invalid client secret"
if i try to create a new client which looks similar to the client above, i get "Client id or secret not provided"

Version and Environment

Version: 1.5.0 (updated from 1.1.0 - only noticed it because an app started to log auth errors)

Example:

curl --location --request POST '<instance>/api/oidc/introspect' \
--header 'Authorization: Basic NzQzYjJjZTctNjcwZC00MTA0LTk3ODgtODhkN2VlMWM4ZDlhOm1KOHlZOW5CQm9oSHNOYmFHbXBBNmZnNmt6dzNSSUZO' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=<token>'

Log Output

Log

[GIN] 2025/06/29 - 13:32:27 | 400 |     320.247µs |     192.168.0.1 | POST     "/api/oidc/introspect"
Error #01: client id or secret not provided

Response

{
    "error": "Client id or secret not provided"
}

Originally created by @andreas-soroko on GitHub. ### Reproduction steps - Create OIDC Client with secret - obtain an access token - try to do a request against the introspection endpoint - with basic auth `clientid:clientsecret` as base64 - body with `token=<accessToken>` ### Expected behavior I would at least expect an error message that you can do something with, because clientId and secret were specified. ### Actual Behavior No matter what i do, i always get an error message. - i have an older oidc client defined there ( public client ) without secret, if i try to use this one i am getting: `"Invalid client secret"` - if i try to create a new client which looks similar to the client above, i get `"Client id or secret not provided"` ### Version and Environment Version: 1.5.0 (updated from 1.1.0 - only noticed it because an app started to log auth errors) ### Example: ```sh curl --location --request POST '<instance>/api/oidc/introspect' \ --header 'Authorization: Basic NzQzYjJjZTctNjcwZC00MTA0LTk3ODgtODhkN2VlMWM4ZDlhOm1KOHlZOW5CQm9oSHNOYmFHbXBBNmZnNmt6dzNSSUZO' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'token=<token>' ``` ### Log Output ### Log ``` [GIN] 2025/06/29 - 13:32:27 | 400 | 320.247µs | 192.168.0.1 | POST "/api/oidc/introspect" Error #01: client id or secret not provided ``` ### Response ```json { "error": "Client id or secret not provided" } ```

OVERLORD added the bug label 2025-10-07 23:55:14 +03:00

OVERLORD closed this issue

2025-10-07 23:55:15 +03:00

OVERLORD commented

2025-10-07 23:55:17 +03:00

@ItalyPaleAle commented on GitHub:

@andreas-soroko is your client configured as public client?

@ItalyPaleAle commented on GitHub: @andreas-soroko is your client configured as public client?

OVERLORD commented

2025-10-07 23:55:17 +03:00

@andreas-soroko commented on GitHub:

just tested i bit further - the endpoint doesn't require any authentication any more?

i can just post a valid token against it and getting informations back.

curl --location --request POST '<instance>/api/oidc/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=<valid_access_token>'

Response:

{
  "active": true,
  "token_type": "access_token",
  "exp": 1751268164,
  "iat": 1751264564,
  "sub": "bd4d082c-f72e-45fd-8d91-509d8bb39f07",
  "aud": [
    "751eadc1-6e3f-4c31-81ae-c57694a1df4c"
  ],
  "iss": "<instance>"
}

do the test run in the pipeline? because this test should exactly test it.
https://github.com/pocket-id/pocket-id/blob/main/tests/specs/oidc.spec.ts#L283

@andreas-soroko commented on GitHub: just tested i bit further - the endpoint doesn't require any authentication any more? i can just post a valid token against it and getting informations back. ```sh curl --location --request POST '<instance>/api/oidc/introspect' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'token=<valid_access_token>' ``` Response: ```json { "active": true, "token_type": "access_token", "exp": 1751268164, "iat": 1751264564, "sub": "bd4d082c-f72e-45fd-8d91-509d8bb39f07", "aud": [ "751eadc1-6e3f-4c31-81ae-c57694a1df4c" ], "iss": "<instance>" } ``` do the test run in the pipeline? because this test should exactly test it. https://github.com/pocket-id/pocket-id/blob/main/tests/specs/oidc.spec.ts#L283

OVERLORD commented

2025-10-07 23:55:18 +03:00

@stonith404 commented on GitHub:

This issue was automatically closed because of the PR and the fix should be available in the next release. Feel free to comment here if the issue stills occurs with the new version.

@stonith404 commented on GitHub: This issue was automatically closed because of the PR and the fix should be available in the next release. Feel free to comment here if the issue stills occurs with the new version.

OVERLORD commented

2025-10-07 23:55:18 +03:00

@ItalyPaleAle commented on GitHub:

Should be fixed by #704

@ItalyPaleAle commented on GitHub: Should be fixed by #704

OVERLORD commented

2025-10-07 23:55:18 +03:00

@andreas-soroko commented on GitHub:

one client I tested was public, the others were not

@andreas-soroko commented on GitHub: one client I tested was public, the others were not

OVERLORD commented

2025-10-07 23:55:19 +03:00

@ItalyPaleAle commented on GitHub:

@andreas-soroko I’m a little confused about the problem you’re having, since we’ve talked about unauthenticated calls too.

Could you please share more info, maybe some step-by-step repro?

@ItalyPaleAle commented on GitHub: @andreas-soroko I’m a little confused about the problem you’re having, since we’ve talked about unauthenticated calls too. Could you please share more info, maybe some step-by-step repro?

OVERLORD commented

2025-10-07 23:55:19 +03:00

@andreas-soroko commented on GitHub:

Mhm, updated to 1.6.1. still facing the same issue - @ItalyPaleAle .

Response

{
    "error": "Client id or secret not provided"
}

Log

[GIN] 2025/07/08 - 18:24:49 | 400 |    79.59283ms |     192.168.0.1 | POST     "/api/oidc/introspect"
Error #01: client id or secret not provided

Edit:
After looking through the code, I think this line is my problem oidc_service.go#L513
was added in 1.3.0, and yes, I am using a different client - is this part of an official specification? I have never had this problem with other providers.

@andreas-soroko commented on GitHub: Mhm, updated to 1.6.1. still facing the same issue - @ItalyPaleAle . Response ```json { "error": "Client id or secret not provided" } ``` Log ``` [GIN] 2025/07/08 - 18:24:49 | 400 | 79.59283ms | 192.168.0.1 | POST "/api/oidc/introspect" Error #01: client id or secret not provided ``` Edit: After looking through the code, I think this line is my problem [oidc_service.go#L513](https://github.com/pocket-id/pocket-id/blob/v1.6.1/backend/internal/service/oidc_service.go#L513) was added in 1.3.0, and yes, I am using a different client - is this part of an official specification? I have never had this problem with other providers.

OVERLORD commented

2025-10-07 23:55:20 +03:00

@ItalyPaleAle commented on GitHub:

Oh, I understand now. I think this is working as intended: each client should only be allowed to introspect tokens issued for itself. second-client should NOT be allowed to introspect tokens issued for first-client.

@ItalyPaleAle commented on GitHub: Oh, I understand now. I think this is working as intended: each client should only be allowed to introspect tokens issued for itself. `second-client` should NOT be allowed to introspect tokens issued for `first-client`.

OVERLORD commented

2025-10-07 23:55:20 +03:00

@andreas-soroko commented on GitHub:

Hi, is this enough? @ItalyPaleAle

Create 2 OIDC Clients:

first client (could be used in a frontend)
- Name: first-client
- Public Client: true
- PKCE: true
- configure callback urls etc
second client (could be used in a backend)
- Name: second-client
- remember clientId / secret

obtain access token via the first-client

try to make the introspection request via second-client to validate the token

curl --location --request POST '<instance>/api/oidc/introspect' \
--header 'Authorization: Basic <second-clientid-secret-base64>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=<token>'

i used that constellation in the past with keycloak and authentik (and pocketid 1.1 as well)

@andreas-soroko commented on GitHub: Hi, is this enough? @ItalyPaleAle --- Create 2 OIDC Clients: - first client _(could be used in a frontend)_ - `Name:` first-client - `Public Client:` true - `PKCE:` true - configure callback urls etc - second client _(could be used in a backend)_ - `Name:` second-client - remember clientId / secret --- obtain access token via the `first-client` try to make the introspection request via `second-client` to validate the token ```sh curl --location --request POST '<instance>/api/oidc/introspect' \ --header 'Authorization: Basic <second-clientid-secret-base64>' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'token=<token>' ``` i used that constellation in the past with keycloak and authentik (and pocketid 1.1 as well)

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#148