"The request is otherwise malformed" error?

[stodge]

I'm getting this error:

?error=invalid_request&error_description=The request is otherwise malformed

Which I think is the invalid_request error from one of these django-oidc-provider code:

        # Nonce parameter validation.
        if self.is_authentication and self.grant_type == 'implicit' and not self.params['nonce']:
            raise AuthorizeError(self.params['redirect_uri'], 'invalid_request', self.grant_type)

        # Response type parameter validation.
        if self.is_authentication \
                and self.params['response_type'] not in self.client.response_type_values():
            raise AuthorizeError(self.params['redirect_uri'], 'invalid_request', self.grant_type)

        # PKCE validation of the transformation method.
        if self.params['code_challenge']:
            if not (self.params['code_challenge_method'] in ['plain', 'S256']):
                raise AuthorizeError(
                    self.params['redirect_uri'], 'invalid_request', self.grant_type)

My request is :

http://192.168.1.30:13000/openid/authorize?response_type=code&scope=openid+email&client_id=560817&redirect_uri=http://192.168.1.30:12000/oidc/callback/&state=...

Which looks ok to me.

My client is configured with the three Hybrid Flow options in the list

Any ideas? Thanks

[jackieklaura]

Had the same problem when debugging manually with curl, while my Vue.js app using the oidc-client works just fine. In the end for me it was the response_type which has to conform exactly to what is set up for your client in the Django backend.

So if you have it set to a hybrid flow using "code id_token token", then you really have to use response_type=code%20id_token%20token in your query string and cannot just fetch only the access code or only the access token.

Also, if you use an implicit flow with "id_token token", make sure to provide a nonce parameter (&nonce=123somerandomstuff789abc) as well, otherwise you'll get the same rather unspecific error.