Client authentication failed

[nyvelius]

I'm trying out ORY Hydra with a Single Page Application written in Angular and a login page rendered by Spring Boot. I've made it almost all the way but I seem to be stumbling towards the end, calling http://127.0.0.1:9000/oauth2/token.

These things work: The Single Page application communicates with the ORY Hydra server and redirects to the login page rendered by Spring. The login and consent flows both work and at the end I get redirected back to the SPA.

However, at this point, the js library angular-auth-oidc-client used to set up oidc in Angular logs the following error:

codeFlowCodeRequest incorrect state

If I start the auth flow again, Hydra / Spring go through the flow without further input from me, recognizing that I'm already authenticated and redirect me back to the SPA. At this point I get a 401 for the call to Hydra: POST http://127.0.0.1:9000/oauth2/token.

The request payload for this call has the following format:

grant_type=authorization_code
&client_id=spa-test-user
&code_verifier=<text>
&code=<text>
&redirect_uri=http://127.0.0.1:4200 // The SPA

The response clearly seems to indicate the error. However, this is confusing because this is the exact same client that works in every other part of the flow.

Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).

This is the config for angular-auth-oidc-client.

stsServer: 'http://127.0.0.1:9000',
redirectUrl: window.location.origin,
postLogoutRedirectUri: window.location.origin,
clientId: 'spa-test-user',
scope: 'openid offline_access',
responseType: 'code',
silentRenew: true,
useRefreshToken: true,
renewTimeBeforeTokenExpiresInSeconds: 30,

Ideas?

[nyvelius]

Turns out this works if I set token_endpoint_auth_method to none for the client. I suppose that's ok since it's a single page app -- any client secret wouldn't be secret anyway. That said, I'm surprised the first few calls went through.