Invalid client credentials with inrupt App Registration

Hello all,

I am following along with this tutorial: Authenticate (Node.js: Single-User App) — Inrupt JavaScript Client Libraries

I have statically registered my app at broker.pod.inrupt.com and included the client secret and client id in a .env file, and they are importing correctly. However, when I try to authenticate using them I am met with the error invalid client (Invalid client credentials)

I have copied the code exactly as described, so is the tutorial outdated? If so, what do I need to do in order to enable this app?

Thank you in advance

It looks like our documentation there is using a different URL to the one you’d want; if you login at broker.pod.inrupt.com, then that’s the issuer you’ll want to use, not login.inrupt.com (a newer environment we’re still releasing)

1 Like

Hello,

I tried using login.inrupt.com and that seemed to send a response, where I was receiving the issue using broker.pod.inrupt.com, though you and your teams would know more about that than me. Thanks for the help!

I will say though that there is still an issue - using login.inrupt.com allows the request to go through, but the session’s webId is id.inrupt.com, which throws an error when trying to write with authentication to pods that are hosted on pod.inrupt.com. I figure I need to be using broker.pod.inrupt.com but the earlier invalid credentials error is still persisting.

So you’ve created a client at broker.pod.inrupt.com and when you session.login you’re passing oidcIssuer of https://broker.pod.inrupt.com? If so, that should work.

That said, login.inrupt.com is different, but does use the same users database, so the user logins work on both, but clients are tied to a specific instance.

Hello,

Using id.inrupt.com it says my webID is hosted at id.inrupt.com and the oidcIssuer is login.inrupt.com - however I recall my webid being pod.inrupt.com…/profile/card#me. Has something changed with my pod?

I know this can be confusing, so bear with me: on one hand, you have the identity provider, where you enter your login/password, and on the other, you have the Solid-OIDC Providers, which makes it so that applications may know your WebID and access your data on your Pod. These two may be one and the same, as they are in CSS/NSS, but they also can very well be separate services, which is the case for ESS.

What @ThisIsMissEm is saying is that both http://broker.pod.inrupt.com/ and http://login.inrupt.com/, which are two different Solid-OIDC Providers, communicate with the same underlying Identity Provider, which means you will successfully log in with the same username/password for both Solid-OIDC Providers (because the username/password is managed by the underlying Identity Provider, which is unique in this case).

However, each Solid-OIDC Provider ties in a different set of services, which explains the discrepancies you’re observing:

So to summarize, if you want to work with your pre-existing Pod at https://pod.inrupt.com/<username>/, using your WebID looking like https://pod.inrupt.com/<username>/profile/card#me, you’ll want to log in to broker.pod.inrupt.com, and to register your static client at Application Registration.

Does that help?

3 Likes