Implementing Oauth2 for User Enrollment

** Hi Community,**

We have been testing on using oauth2 for User Enrollment.Where as per doc provided we have supplied the method, authorization-url, token-url, redirect-url, client-id in the 401 response from MDM Server

Authorization Request

As mentioned the apple client performed authorization request by adding state, login_hint to the Authorization-url and the params mentioned above and successfully received the authorization code after the user makes a login with the IDP.

<<<<< Request
GET /oauth2/authorization?response_type=code
    &client_id=XXXXXXXXXX
    &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection
    &state=XXXXXXXXXX
    &login_hint=useroa@example.com HTTP/1.1
Host: mdmserver.example.com

------- MULTIPLE REQUESTS BETWEEN CLIENT Server ----------

>>>>> Response
HTTP/1.1 308 Permanent Redirect
Content-Length: 0
Location: apple-remotemanagement-user-login:/oauth2/redirection
    ?code=XXXXXXXXXX&state=XXXXXXXXXX

.

Token Request

Using the code received from authorization server apple client performs this step to get the access_token and refresh_token.I am using a authorization server created by default in my Okta domain and this step fails.

<<<<< Request
POST /oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 195

grant_type=authorization_code
    &code=XXXXXXXXXXXX
    &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection
    &client_id=XXXXXXXXXX


>>>>> Response
HTTP/2 401 Unauthorized
Content-Type: application/json
{
  "error": "invalid_client",
  "error_description": "Client authentication failed. Either the client or the client credentials are invalid."
}

When debugged this issue, As per Okta's doc https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#exchange-the-code-for-tokens The client must specify Their credentials in Authorization header as Authorization : Basic <client_id>:<client_secret> in order to get the access_token

And Also as per RFC-6749 https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3 The Confidential Clients must specify their client_id, client_secret provided by the authorization server to receive the access_tokens.

May I know how to overcome this issue or did I missed any steps that may include the Authorization header

Thanks in Advance,.

Up vote post of MDM iOS Dev Down vote post of MDM iOS Dev
1.5k views
Posted by
MDM iOS Dev
Reply
Add a Comment

Replies

I have the same issue. Most OAuth2 provider requires client_secret for requesting an access token.

By setting token-url=https://my.mdm.server.app/token and implementing the token request logic with adding client_secret in my MDM server, it would be possible to continue the enrollment flow. However it is different as is described in the figure in the guide.

How can we implement it??

Posted by
YusukeIwaki
Up vote reply of YusukeIwaki Down vote reply of YusukeIwaki
Add a Comment