[satosa-users] InvalidAuthorizationCode

Since I've been able to answer my own question about manual client registration (w/o MongoDB) in another thread (now resolved) https://lists.sunet.se/pipermail/satosa-users/2020-March/000120.html I'm starting a new thread about the latter (unrelated) issue: Starting at the oidc-enabled app I'm sent to satosa with an auth request, the client is now known/found (client_db details shared at the above URL), the saml backend is involked, SAML WebSSO happens, attributes are mapped and I am back "Routing to frontend: oidc". Then satosa raises an InvalidAuthorizationCode exception: [pyop.authz_state.create_authorization_code] creating authz code for scope=openid email profile [pyop.authz_state.create_authorization_code] new authz_code=eff...cd79 to client_id=someClientId for sub=someid at example.org valid_until=1585612419 ... [satosa.proxy_server.unpack_request] read request data: {'grant_type': 'authorization_code', 'code': 'eff...cd79', 'redirect_uri': 'https://some.example.org/auth/callback'} ... [pyop.client_authentication.verify_client_authentication] client authentication in Authorization header Basic base64-encoded-client_id_colon_client_secret [satosa.frontends.openid_connect.token_endpoint] invalid request: eff...cd79 unknown Traceback (most recent call last): File "/usr/local/venv/SATOSA/lib/python3.7/site-packages/satosa/frontends/openid_connect.py", line 363, in token_endpoint response = self.provider.handle_token_request(urlencode(context.request), headers) File "/usr/local/venv/SATOSA/lib/python3.7/site-packages/pyop/provider.py", line 324, in handle_token_request return self._do_code_exchange(token_request, extra_id_token_claims) File "/usr/local/venv/SATOSA/lib/python3.7/site-packages/pyop/provider.py", line 352, in _do_code_exchange authentication_request = self.authz_state.get_authorization_request_for_code(token_request['code']) File "/usr/local/venv/SATOSA/lib/python3.7/site-packages/pyop/authz_state.py", line 320, in get_authorization_request_for_code raise InvalidAuthorizationCode('{} unknown'.format(authorization_code)) pyop.exceptions.InvalidAuthorizationCode: eff...cd79 unknown So the authz code created above (first line) is now unkown (last line). Why would that happen and what can I do to avoid it? On the RP side (seemingly using https://www.npmjs.com/package/openid-client) I currently only see the same thing as RP is merely relaying the OP error, it seems. And this being an OP error I probably don't have to dig into the RP side to get more/better logging: OPError: invalid_grant (eff...cd79 unknown) at processResponse (/opt/edumeet/mm/server/node_modules/openid-client/lib/helpers/process_response.js:45:13) at Client.grant (/opt/edumeet/mm/server/node_modules/openid-client/lib/client.js:1235:26) at process._tickCallback (internal/process/next_tick.js:68:7) I'd appreciate suggestions on what I could have done wrong following the satosa documentation where available, or how to further debug this issue. If other/more information (config details, logs, etc.) are needed or my obscuring of details above is unclear I'm happy to provide those. -peter