Trying to sign in with https://crspybits.trinpod.us: Blank redirect screen

[crspybits]

Your public Solid POD URL will be:
https://crspybits.trinpod.us
Your public Solid WebID will be:
https://crspybits.trinpod.us/i

I used https://crspybits.trinpod.us as the issuer.

My logs show:

2021-09-05 18:47:02.926932-0600 SolidAuthSwiftDemo[47460:8895432] [] nw_protocol_get_quic_image_block_invoke dlopen libquic failed
2021-09-05T18:47:03-0600 debug  : Received data: Optional("{\"issuer\":\"https:\\/\\/trinpod.us\",\"authorization_endpoint\":\"https:\\/\\/trinpod.us\\/authorize\",\"token_endpoint\":\"https:\\/\\/trinpod.us\\/token\",\"userinfo_endpoint\":\"https:\\/\\/trinpod.us\\/userinfo\",\"registration_endpoint\":\"https:\\/\\/trinpod.us\\/register\",\"end_session_endpoint\":\"https:\\/\\/trinpod.us\\/endSession\",\"jwks_uri\":\"https:\\/\\/trinpod.us\\/jwks\",\"response_types_supported\":[\"code\"],\"grant_types_supported\":[\"authorization_code\",\"refresh_token\"],\"subject_types_supported\":[\"public\"],\"claims_supported\":[\"sub\",\"webid\"],\"scopes_supported\":[\"openid\",\"profile\",\"email\"],\"token_endpoint_auth_methods_supported\":[\"client_secret_basic\"],\"token_endpoint_auth_signing_alg_values_supported\":[\"RS256\"],\"request_object_signing_alg_values_supported\":[\"RS256\"],\"id_token_signing_alg_values_supported\":[\"RS256\"],\"code_challenge_methods_supported\":[\"plain\",\"S256\"],\"request_parameter_supported\":true,\"claims_parameter_supported\":\"false\",\"request_parameter_supported\":true,\"request_uri_parameter_supported\":true,\"require_request_uri_registration\":\"false\",\"response_modes_supported\":[\"query\",\"fragment\"]}")
2021-09-05T18:47:03-0600 debug  : Received url response: <NSHTTPURLResponse: 0x6000036e10e0> { URL: https://crspybits.trinpod.us/.well-known/openid-configuration } { Status Code: 200, Headers {
    "Access-Control-Allow-Credentials" =     (
        true
    );
    "Access-Control-Allow-Headers" =     (
        "Accept, Accept-Encoding, Accept-Language, Accept-Patch, Accept-Post, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Allow, Authorization, Connection, Content-Length, Content-Security-Policy, Content-Type, Date, Dpop, ETag, Host, If-None-Match, Last-Modified, Link, Location, MS-Author-Via, Origin, Referer, Transfer-Encoding, Updates-Via, User, User-Agent, Vary, WAC-Allow, WWW-Authenticate, X-Content-Type-Options, X-Forwarded-For, X-Forwarded-Proto, X-Powered-By, X-Requested-With, cache-control, slug, hypergraph"
    );
    "Access-Control-Allow-Methods" =     (
        "OPTIONS, HEAD, GET, PATCH, POST, PUT, DELETE"
    );
    "Access-Control-Allow-Origin" =     (
        "*"
    );
    "Access-Control-Expose-Headers" =     (
        "Accept, Accept-Encoding, Accept-Language, Accept-Patch, Accept-Post, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Allow, Authorization, Connection, Content-Length, Content-Security-Policy, Content-Type, Date, Dpop, ETag, Host, If-None-Match, Last-Modified, Link, Location, MS-Author-Via, Origin, Referer, Transfer-Encoding, Updates-Via, User, User-Agent, Vary, WAC-Allow, WWW-Authenticate, X-Content-Type-Options, X-Forwarded-For, X-Forwarded-Proto, X-Powered-By, X-Requested-With, cache-control, slug, hypergraph"
    );
    Allow =     (
        "OPTIONS, GET, HEAD, POST, PATCH, PUT, DELETE"
    );
    "Content-Type" =     (
        "application/json"
    );
    Date =     (
        "Mon, 06 Sep 2021 00:47:03 GMT"
    );
    "Transfer-Encoding" =     (
        Identity
    );
    Vary =     (
        "Accept, Authorization, Origin"
    );
    "X-Content-Type-Options" =     (
        nosniff
    );
    "X-Powered-By" =     (
        "TrinPod-Server/2.3.3"
    );
} }
2021-09-05T18:47:03-0600 debug  : JSONString: dict: [AnyHashable("client_name"): "Neebla", AnyHashable("token_endpoint_auth_method"): "client_secret_post", AnyHashable("redirect_uris"): ["biz.SpasticMuffin.Neebla.demo:/mypath"], AnyHashable("response_types"): "code id_token", AnyHashable("application_type"): "native", AnyHashable("grant_types"): ["authorization_code"]]
2021-09-05T18:47:03-0600 debug  : postBody: 231 bytes
2021-09-05T18:47:03-0600 debug  : Headers: Optional(["Content-Type": "application/json"])
2021-09-05T18:47:03-0600 debug  : URL Request: https://trinpod.us/register
2021-09-05T18:47:03-0600 debug  : Got registration response: 
=============
OIDRegistrationResponse 
clientID: Optional("8772AE25-3BF1-4E25-A465-B6FB5B4B62B3") 
clientIDIssuedAt: nil 
clientSecret: nil 
clientSecretExpiresAt: nil 
registrationAccessToken: nil 
registrationClientURI: nil 
additionalParameters: ["redirect_uris": <__NSSingleObjectArrayI 0x6000034d4090>(
biz.SpasticMuffin.Neebla.demo:/mypath
)
] 
=============
2021-09-05T18:47:03-0600 debug  : requestURL: https://trinpod.us/authorize?scope=openid%20offline_access%20profile%20webid&code_challenge=JFssOW1RIXHg7BvXuw60gYYB25tPynasE4IqYyh63xI&client_id=8772AE25-3BF1-4E25-A465-B6FB5B4B62B3&redirect_uri=biz.SpasticMuffin.Neebla.demo:/mypath&nonce=zGN8WCLLb1zbI074VVlddS9MYODXMAElj0uIha1VzOA&state=Q8fJQv4k4tdsEG2s6bOUxCx2_hnfid1VCrlS_t7THhY&response_type=code%20id_token&code_challenge_method=S256

[crspybits]

The redirect screen is:

[crspybits]

It seems pretty clear that the registration isn't working as intended. This is what I get back from https://solidcommunity.net:

2021-09-05T21:52:32-0600 debug  : JSONString: dict: [AnyHashable("client_name"): "Neebla", AnyHashable("redirect_uris"): ["biz.SpasticMuffin.Neebla.demo:/mypath"], AnyHashable("response_types"): "code id_token", AnyHashable("token_endpoint_auth_method"): "client_secret_post", AnyHashable("application_type"): "native", AnyHashable("grant_types"): ["authorization_code"]]
2021-09-05T21:52:32-0600 debug  : postBody: 231 bytes
2021-09-05T21:52:32-0600 debug  : Headers: Optional(["Content-Type": "application/json"])
2021-09-05T21:52:32-0600 debug  : URL Request: https://solidcommunity.net/register
2021-09-05T21:52:33-0600 debug  : Got registration response: 
=============
OIDRegistrationResponse 
clientID: Optional("b58943520f434e9a9e0f34fe9dd5416e") 
clientIDIssuedAt: Optional(2021-09-06 03:52:33 +0000) 
clientSecret: Optional("19ba89...[redacted]") 
clientSecretExpiresAt: Optional(2021-09-06 03:52:33 +0000) 
registrationAccessToken: Optional("eyJhbG...[redacted]") 
registrationClientURI: Optional(https://solidcommunity.net/register/b58943520f434e9a9e0f34fe9dd5416e) 
additionalParameters: ["id_token_signed_response_alg": RS256, "application_type": native, "token_endpoint_auth_method": client_secret_post, "grant_types": <__NSSingleObjectArrayI 0x600001ee9010>(
authorization_code
)
, "response_types": code id_token, "client_name": Neebla, "redirect_uris": <__NSSingleObjectArrayI 0x600001ee9030>(
biz.SpasticMuffin.Neebla.demo:/mypath
)
] 
=============
2021-09-05T21:52:33-0600 debug  : requestURL: https://solidcommunity.net/authorize?nonce=neHnh3WmDUYoppLdMYfba4mT-LKNH9H03zYpxYLmN48&code_challenge=dMu_UVkl3Zr3hTBZwyJMyfrT0OZvPkgTwLX_Teb-BF0&state=OqHwOsifmD1wtq-_8szmpcyeMommqY3QRrrsAcYd2DQ&code_challenge_method=S256&client_id=b58943520f434e9a9e0f34fe9dd5416e&scope=profile%20openid%20webid%20offline_access&response_type=code%20id_token&redirect_uri=biz.SpasticMuffin.Neebla.demo:/mypath

[crspybits]

But I should probably use https://trinpod.net as the issuer. However, that shows exactly the same blank screen and result:

2021-09-05T21:57:38-0600 debug  : JSONString: dict: [AnyHashable("client_name"): "Neebla", AnyHashable("token_endpoint_auth_method"): "client_secret_post", AnyHashable("application_type"): "native", AnyHashable("redirect_uris"): ["biz.SpasticMuffin.Neebla.demo:/mypath"], AnyHashable("response_types"): "code id_token", AnyHashable("grant_types"): ["authorization_code"]]
2021-09-05T21:57:38-0600 debug  : postBody: 231 bytes
2021-09-05T21:57:38-0600 debug  : Headers: Optional(["Content-Type": "application/json"])
2021-09-05T21:57:38-0600 debug  : URL Request: https://trinpod.us/register
2021-09-05T21:57:38-0600 debug  : Got registration response: 
=============
OIDRegistrationResponse 
clientID: Optional("2A487882-5492-41F2-8DBE-55244B40E646") 
clientIDIssuedAt: nil 
clientSecret: nil 
clientSecretExpiresAt: nil 
registrationAccessToken: nil 
registrationClientURI: nil 
additionalParameters: ["redirect_uris": <__NSSingleObjectArrayI 0x6000029c8a20>(
biz.SpasticMuffin.Neebla.demo:/mypath
)
] 
=============
2021-09-05T21:57:38-0600 debug  : requestURL: https://trinpod.us/authorize?client_id=2A487882-5492-41F2-8DBE-55244B40E646&state=VdW8PSOkbRVeeDPM5hNbZD6wuAoq3bE8FeDFetPEXbs&scope=webid%20offline_access%20openid%20profile&nonce=pLB2p--nYA8PzAwUZOmuXQ_coEecgYO6sxXkZQxykVg&code_challenge=i-A3I0kKNGG_CUpyZ59MgHclroDFowkye99krusH5Sw&redirect_uri=biz.SpasticMuffin.Neebla.demo:/mypath&code_challenge_method=S256&response_type=code%20id_token

[crspybits]

I'm noticing that I'm using client_secret_post, but during discovery from the server:

\"token_endpoint_auth_methods_supported\":[\"client_secret_basic\"],

[crspybits]

I'm confused right now about where client_secret_basic vs client_secret_post ought to be used.

9. Client Authentication: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication suggests this is: when using the Token Endpoint

However, https://solid.github.io/solid-oidc/primer/#authorization-code-pkce-flow-step-14 suggests to use a DPoP token. These seem conflicting statements.

[crspybits]

I made some changes and am having pretty good success with the broker.pod.inrupt.com issuer. See #3 (comment)

However, these changes don't help with trinpod. I still get the same blank screen.

Taking an example from https://connect2id.com/products/server/docs/guides/client-registration, I'm beginning to think that trinpod just doesn't support dynamic registration:

curl -s -XPOST -H "Content-Type:application/json" \
-d '{"redirect_uris":["biz.SpasticMuffin.Neebla.demo:/mypath"]}' \
https://trinpod.us/register

RESULT:

{"client_id":"8A2782CD-5D1F-475D-B016-733AD193F455","redirect_uris":["biz.SpasticMuffin.Neebla.demo:/mypath"]}

There is no client secret in the response as I'd expect. See also https://connect2id.com/products/server/docs/guides/client-registration

[crspybits]

I just tried this again. Getting the same result.

2021-10-16T20:26:56-0600 debug : JSONString: dict: [AnyHashable("grant_types"): ["refresh_token", "authorization_code"], AnyHashable("client_name"): "Neebla", AnyHashable("post_logout_redirect_uris"): ["biz.SpasticMuffin.Neebla.demo:/mypath"], AnyHashable("token_endpoint_auth_method"): "client_secret_basic", AnyHashable("application_type"): "native", AnyHashable("redirect_uris"): ["biz.SpasticMuffin.Neebla.demo:/mypath"], AnyHashable("response_types"): ["code"]]
2021-10-16T20:26:56-0600 debug : postBody: 312 bytes
2021-10-16T20:26:56-0600 debug : Headers: Optional(["Content-Type": "application/json"])
2021-10-16T20:26:56-0600 debug : URL Request: https://trinpod.us/register
2021-10-16T20:26:57-0600 debug : Got registration response:

OIDRegistrationResponse
clientID: Optional("5E732CDD-8C77-4265-87DD-997468704FDA")
clientIDIssuedAt: nil
clientSecret: nil
clientSecretExpiresAt: nil
registrationAccessToken: nil
registrationClientURI: nil
additionalParameters: ["redirect_uris": <__NSSingleObjectArrayI 0x600003d68960>(
biz.SpasticMuffin.Neebla.demo:/mypath
)
]

[dustmoo]

Hey there @crspybits, happy new year. I've been experimenting with my own server and ran into this bug. I'm using the latest version of Community Solid Server. In my experimentation CSS is rejecting the client because the redirect_url is not "Secure".

The particular error I am seeing in Debug is: :/mypath#error=unauthorized_client&error_description=requested%20response_type%20is%20not%20allowed%20for%20this%20client

If I prepend an https:// to my redirect URL it clears up the response_type error but is not handled properly by the web view. (redirect error)

I'm still investigating but it appears that CSS, in a default state, is validating the redirect URL for security when id_token is included (which was the only token claim available in the default server I setup).

I'm still getting familiar with AppAuth and reviewing your sample libraries, but it seems that we either need to add internal app urls to the validation in CSS somehow, or approach this a different way. (I'm currently reviewing how AppAuth handles the redirect url).

If you have any thoughts please let me know!