Issue while setting up OAuth for SSO with Forgerock AM
233 views
Skip to first unread message
Nikunz Verma
Sep 14, 2022, 5:17:58 AM9/14/22
to pwm-general
Hello,
We are try to set up third party authentication with Forgerock Access Manager using the SSO OAuth client of PWM. The setup on both PWM and AM side seems fine but we are getting 400 response in logs and a blank page on the browser when the we try to login through the AM SSO page. After entering the credentials, they are redirected to a blank page. This seems to be happening at the stage when PWM is requesting an Access Token to the AM. It seems that AM is not able to understand this request and returns a 400 respons with PWM error "5071 ERROR_OAUTH_ERROR (unexpected error communicating with oauth server: password.pwm.error.PwmUnrecoverableException: 5071 ERROR_Oring oauth code resolver request to https://hostname:port/am/oauth2/access_token)".
Detailed error message below:
2022-09-06T15:31:19Z, TRACE, macro.MacroMachine, replaced macro @PwmContextPath@ with value: /pwm (0ms)
2022-09-06T15:31:19Z, TRACE, http.PwmRequest, {gwDqR,default} GET request for: /pwm/public/oauth received request=2ov, domain=default [10.142.126.166]
code='Yi8Mpo2NTLkYJrJk7aaAvoTVDJo'
iss='https://hostname:port/am/oauth2'
state='H4sIAAAAAAAAAAF3AIj_UFdNLkdDTTEQXdTYYg6hz6VOfFmkfWKvVsj7rq08_K0HV5UlGK13RTtfOgV7Gchs1xfPh4Q6Pv_NpQkwb1g53TjpuymoZ0xsMwK4o_67uW2vjasUXyRLdiZAba0oMIiCBSQHlucSGVF5ULuMopOQuKoEDiDvIbuo
client_id='DEV-PWM'
2022-09-06T15:31:19Z, TRACE, oauth.OAuthMachine, {gwDqR,default} read state while parsing oauth consumer request with match=true, {"c":0,"t":"2022-09-06T13:30:45Z","i":"key","n":"/pwm/priva
2022-09-06T15:31:19Z, TRACE, oauth.OAuthConsumerServlet, {gwDqR,default} processing oauth return request, useCase=Authentication, incoming oAuthRequestState={"oAuthState":{"c":0,"t":"2022-0":"A","v":1},"sessionMatch":true} [10.142.126.166]
2022-09-06T15:31:19Z, TRACE, oauth.OAuthConsumerServlet, {gwDqR,default} received code from oauth server: Yi8Mpo2NTLkYJrJk7aaAvoTVDJo [10.142.126.166]
2022-09-06T15:31:19Z, TRACE, oauth.OAuthMachine, {gwDqR,default} calculated oauth self end point URI as 'https://pwmhostname/pwm/public/oauth' using method Input Request URL [
2022-09-06T15:31:19Z, TRACE, httpclient.ApachePwmHttpClient, {gwDqR,default} client #0 preparing to send HTTP POST request to https://hostname:port/am/oauth2/access_tokenB7DE7EFB8566D58E936F842ECE3A97B43B4AC,7CCC2A87E3949F20572B18482980505FA90CAC3B,A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436] id=0) [10.142.126.166]
header: Authorization=*hidden*
header: Content-Type=application/x-www-form-urlencoded; charset=UTF-8
body: [203 chars] *hidden*
2022-09-06T15:31:20Z, TRACE, secure.PwmTrustManager, server certificate subject=CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US, serial=1094471959895204037495183296379Trust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US, serial=7014754403668890451052340637799309683
2022-09-06T15:31:20Z, TRACE, httpclient.ApachePwmHttpClient, {gwDqR,default} client #0 received response (id=0) in 732ms: HTTP response status 400 id=0) [10.142.126.166]
header: X-Frame-Options=DENY
header: X-Content-Type-Options=nosniff
header: Strict-Transport-Security=max-age=31536000
header: X-XSS-Protection=1; mode=block
header: Referrer-Policy=origin-when-cross-origin
header: Permissions-Policy=geolocation=(), midi=(), camera=(), usb=(), magnetometer=(), accelerometer=(), vr=(), speaker=(), ambient-light-sensor=(), gyroscope=(), microphone=()
header: Cache-Control=no-store
header: Pragma=no-cache
header: Content-Type=application/json;charset=UTF-8
header: Content-Length=78
header: Date=Tue, 06 Sep 2022 13:31:19 GMT
header: Connection=close
header: Set-Cookie=BIGipServerPool-i-am-na_tcp443=2388933130.64288.0000; path=/; Httponly; Secure
body: [78 chars] *hidden*
2022-09-06T15:31:20Z, ERROR, oauth.OAuthConsumerServlet, 5071 ERROR_OAUTH_ERROR (unexpected error communicating with oauth server: password.pwm.error.PwmUnrecoverableException: 5071 ERROR_Oring oauth code resolver request to https://hostname:port/am/oauth2/access_token))
2022-09-06T15:31:20Z, TRACE, http.PwmRequest, {gwDqR,default} GET request for: /pwm/public/oauth completed request=2ov, domain=default [10.142.126.166]
code='Yi8Mpo2NTLkYJrJk7aaAvoTVDJo'
iss='https://hostname:port/am/oauth2'
state='H4sIAAAAAAAAAAF3AIj_UFdNLkdDTTEQXdTYYg6hz6VOfFmkfWKvVsj7rq08_K0HV5UlGK13RTtfOgV7Gchs1xfPh4Q6Pv_NpQkwb1g53TjpuymoZ0xsMwK4o_67uW2vjasUXyRLdiZAba0oMIiCBSQHlucSGVF5ULuMopOQuKoEDiDvIbuo
client_id='DEV-PWM' (997ms)
2022-09-06T15:31:28Z, DEBUG, report.ReportService, {#,system,ReportService} report service initialized: {"jobDuration":{"ms":0},"reportComplete":false,"count":0,"errors":0,"settingsHash":"424E788E63CD27DFEA38F9A3F07CC5BBD7D28F5E648787F4623F81ECFCDCA30C66594F17BF6AD10E","currentProcess":"None"}
2022-09-06T15:31:19Z, TRACE, http.PwmRequest, {gwDqR,default} GET request for: /pwm/public/oauth received request=2ov, domain=default [10.142.126.166]
code='Yi8Mpo2NTLkYJrJk7aaAvoTVDJo'
iss='https://hostname:port/am/oauth2'
state='H4sIAAAAAAAAAAF3AIj_UFdNLkdDTTEQXdTYYg6hz6VOfFmkfWKvVsj7rq08_K0HV5UlGK13RTtfOgV7Gchs1xfPh4Q6Pv_NpQkwb1g53TjpuymoZ0xsMwK4o_67uW2vjasUXyRLdiZAba0oMIiCBSQHlucSGVF5ULuMopOQuKoEDiDvIbuo
client_id='DEV-PWM'
2022-09-06T15:31:19Z, TRACE, oauth.OAuthMachine, {gwDqR,default} read state while parsing oauth consumer request with match=true, {"c":0,"t":"2022-09-06T13:30:45Z","i":"key","n":"/pwm/priva
2022-09-06T15:31:19Z, TRACE, oauth.OAuthConsumerServlet, {gwDqR,default} processing oauth return request, useCase=Authentication, incoming oAuthRequestState={"oAuthState":{"c":0,"t":"2022-0":"A","v":1},"sessionMatch":true} [10.142.126.166]
2022-09-06T15:31:19Z, TRACE, oauth.OAuthConsumerServlet, {gwDqR,default} received code from oauth server: Yi8Mpo2NTLkYJrJk7aaAvoTVDJo [10.142.126.166]
2022-09-06T15:31:19Z, TRACE, oauth.OAuthMachine, {gwDqR,default} calculated oauth self end point URI as 'https://pwmhostname/pwm/public/oauth' using method Input Request URL [
2022-09-06T15:31:19Z, TRACE, httpclient.ApachePwmHttpClient, {gwDqR,default} client #0 preparing to send HTTP POST request to https://hostname:port/am/oauth2/access_tokenB7DE7EFB8566D58E936F842ECE3A97B43B4AC,7CCC2A87E3949F20572B18482980505FA90CAC3B,A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436] id=0) [10.142.126.166]
header: Authorization=*hidden*
header: Content-Type=application/x-www-form-urlencoded; charset=UTF-8
body: [203 chars] *hidden*
2022-09-06T15:31:20Z, TRACE, secure.PwmTrustManager, server certificate subject=CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US, serial=1094471959895204037495183296379Trust RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US, serial=7014754403668890451052340637799309683
2022-09-06T15:31:20Z, TRACE, httpclient.ApachePwmHttpClient, {gwDqR,default} client #0 received response (id=0) in 732ms: HTTP response status 400 id=0) [10.142.126.166]
header: X-Frame-Options=DENY
header: X-Content-Type-Options=nosniff
header: Strict-Transport-Security=max-age=31536000
header: X-XSS-Protection=1; mode=block
header: Referrer-Policy=origin-when-cross-origin
header: Permissions-Policy=geolocation=(), midi=(), camera=(), usb=(), magnetometer=(), accelerometer=(), vr=(), speaker=(), ambient-light-sensor=(), gyroscope=(), microphone=()
header: Cache-Control=no-store
header: Pragma=no-cache
header: Content-Type=application/json;charset=UTF-8
header: Content-Length=78
header: Date=Tue, 06 Sep 2022 13:31:19 GMT
header: Connection=close
header: Set-Cookie=BIGipServerPool-i-am-na_tcp443=2388933130.64288.0000; path=/; Httponly; Secure
body: [78 chars] *hidden*
2022-09-06T15:31:20Z, ERROR, oauth.OAuthConsumerServlet, 5071 ERROR_OAUTH_ERROR (unexpected error communicating with oauth server: password.pwm.error.PwmUnrecoverableException: 5071 ERROR_Oring oauth code resolver request to https://hostname:port/am/oauth2/access_token))
2022-09-06T15:31:20Z, TRACE, http.PwmRequest, {gwDqR,default} GET request for: /pwm/public/oauth completed request=2ov, domain=default [10.142.126.166]
code='Yi8Mpo2NTLkYJrJk7aaAvoTVDJo'
iss='https://hostname:port/am/oauth2'
state='H4sIAAAAAAAAAAF3AIj_UFdNLkdDTTEQXdTYYg6hz6VOfFmkfWKvVsj7rq08_K0HV5UlGK13RTtfOgV7Gchs1xfPh4Q6Pv_NpQkwb1g53TjpuymoZ0xsMwK4o_67uW2vjasUXyRLdiZAba0oMIiCBSQHlucSGVF5ULuMopOQuKoEDiDvIbuo
client_id='DEV-PWM' (997ms)
2022-09-06T15:31:28Z, DEBUG, report.ReportService, {#,system,ReportService} report service initialized: {"jobDuration":{"ms":0},"reportComplete":false,"count":0,"errors":0,"settingsHash":"424E788E63CD27DFEA38F9A3F07CC5BBD7D28F5E648787F4623F81ECFCDCA30C66594F17BF6AD10E","currentProcess":"None"}
Also, I tried to replicate the request through Postman which was successfully completed returning an access token.
On AM side we have below error:
ERROR: Client (DEV-PWM) using multiple authentication methods
Thanks in advance for your answers.
Nikunj Verma
Aaron Bliss
Apr 16, 2023, 5:24:01 PM4/16/23
to pwm-general
Did you ever get to the bottom of this error? I'm seeing the same issue attempting to use ADFS' OAuth implementation with PWM.
Best,
Aaron
Paul Hodgdon
Apr 17, 2023, 6:45:48 AM4/17/23
to pwm-g...@googlegroups.com
I've seen this before using WSO2 and I had to change the httpClient class to remove the "Authorization" header. With your test using postman that worked, did you pass in Authorization?
Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire
03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/6baf611e-fddc-4f44-a57c-83a42e1f9a23n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages