ayan.poddar/eShopOnContainers
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Page: unauthorized_client error on Login
Pages
00. Dev machine requirements 01. Roadmap and Milestones for future releases 02. Setting eShopOnContainers in a Visual Studio 2017 environment 03. Setting the eShopOnContainers solution up in a Windows CLI environment (dotnet CLI, Docker CLI and VS Code) 04. Setting eShopOnContainer solution up in a Mac, VS for Mac or with CLI environment (dotnet CLI, Docker CLI and VS Code) 05. Deploying eShopOnContainers to a Docker Host Production environment 06. (Optional) Setting the Web SPA application up 07. Setting up the Xamarin mobile apps 08. Setting up and Deploying eShopOnContainers to Windows Containers 10. Deploying to Kubernetes (AKS and local) using Helm Charts 10.1 Using Azure Dev Spaces and AKS 11. Setting the solution up in Service Fabric 12. Deploying the infrastructure resources into Azure (DB, Cache, Service Bus, etc.) 13. Using HealthChecks in eShopOnContainers 14. Using Application Insights in eShopOnContainers 15. Implementing API Gateways with Ocelot in eShopOnContainers 16. Using Azure KeyVault to manage secrets of eShopOnContainers 17. Using Webhooks in eShopOnContainers 18. Centralized Structured Logging in eShopOnContainers 19. Logging using ELK stack 20. Azure Devops pipelines 99. FAQ (Frequently Asked Questions) AKS TLS API gateways Application Insights Architecture Asynchronous messaging Azure Dev Spaces Azure DevOps pipelines Azure Key Vault BFF implementation Backlog Build eShopOnContainers Building Cloud Native eBook changelog Code Flow Databases and containers Deploy to Azure Kubernetes Service (AKS) Archived Deploy to Azure Kubernetes Service (AKS) Deploy to Local Kubernetes Archived Deploy to Local Kubernetes Deploy to Windows containers Deploying Azure resources Deployment With GitHub Actions Deployment DevOps Docker compose deployment files Docker configuration Docker host ELK stack Explore the application Explore the code Frequent errors GitHub Actions Home Identity Server Load testing Mac setup Microservices Architecture eBook changelog Microservices DevOps eBook changelog Other Deployment Scenarios RabbitMQ Readme files Release notes Resiliency and Service Mesh Roadmap Serilog and Seq Simplified CQRS and DDD System requirements Unit and integration testing Using Azure resources Using HealthChecks Webhooks Windows setup Xamarin setup eBooks gRPC unauthorized_client error on Login
Clone
3
unauthorized_client error on Login
Miguel Veloso edited this page 2020-03-25 09:51:42 +00:00
Table of Contents

CONTENT

Causes

Client not registered in Identity Server

This error occurs because the connecting app (the "Client") isn't registered in the IdentityServer database as an authorized client.

The authorized client registration occurs when the Identity DB is seeded, and in eShopOnContainers this happens when the DB is first created. So this only happens when first installed or when restarting the Identity service if the DB has been deleted.

When registering the clients, eShopOnContainers reads the values from the following configuration variables, from either the appsettings.json file, the docker-compose.override.yml file or the equivalent environment variables:

- SpaClient
- MvcClient
- LocationApiClient
- MarketingApiClient
- BasketApiClient
- OrderingApiClient
- MobileShoppingAggClient
- WebShoppingAggClient
- WebhooksApiClient
- WebhooksWebClient

Docker Desktop upgraded to 2.2 and higher

Docker removed DockerNAT in Docker Desktop Community 2.2 so you can't use localhost to access a container and you must switch to host.docker.internal

Not starting from the correct address

This can be the result of any, or a combination, of the two causes above.

Details

Identity Server

IdentityServer uses the RedirectUri to decide if the connecting client is authorized

When a user that's not been authorized tries to use the [client] app, they are redirected to the IdentityServer's /connect/authorize endpoint, and the request includes a redirection uri that's used to complete the login process, as shown in the following image:

The authorized clients are registered in the Clients table and the related redirect URIs in the ClientRedirectUris table as shown in the following image:

It's important to keep in mind that if the application is registered as http://host.docker.internal:5004 but started as http://localhost:5104 it's considered to be a different one, so it'll get the unauthorized_client message.

Startup address

The startup address is defined in the .env file and used in docker-compose.override.yml as shown in the following images.

.env file

cocker-compose.override.yml file

Important

You MUST run the docker-compose up command from the folder where the .env file is, otherwise the values defined in the file won't be used.

Solutions

So the possible solution could be one or a combination of:

  1. Make sure you are starting the app from the correct address.

  2. Update the .env file as needed.

  3. Update the ClientRedirectUris table to the correct values.

  4. Drop the IdentityDb database and restart the Identity service, after updating the docker-compose.override.yml file, or the configmap.yaml in Kubernetes, so that all the clients are registered correctly.

eShopOnContainers

Getting started

FREQUENT ERRORS

Explore

Deployment

Local

Production (generic)

Cloud

Other Deployment Scenarios

DevOps