IdM 4.7.2 complain about oauth issuer host "URL:443/.."

Hi,

IdM 4.7.2 complain oauth issuer host URL:443. Appreciated any have solution.
OSP Log
---------
com.netiq.idm.osp.oauth.issuer: https://www.host:443/osp/a/idm/auth/oauth2

ism-config...properties
----------------------
com.netiq.idm.osp.oauth.issuer = ${com.netiq.idm.osp.url.host}/osp/a/idm/auth/oauth2 May I use Static URL?

Login into to the idmdash
----------------
<Fault>
<Code>
<Value>Receiver</Value>
<Subcode>
<Value>AuthServerUnavailable</Value>
</Subcode>
</Code>
<Reason>
<Text>
An error occurred while attempting to contact the authentication service.
</Text>
</Reason>
</Fault>

Catalina.log
---------------
ERROR [com.netiq.idm.auth.oauth.OAuthServlet] (https-jsse-nio-8443-exec-20) [RBPM] An error occurred while attempting to contact the authentication service.
com.novell.common.auth.ValidationException: internal.atlaslite.jcce.oauth2.discovery.WrongIssuerException: Invalid issuer. Expected: 'www.host:443/.../oauth2; actual: 'www.host/.../oauth2'.
at com.netiq.idm.auth.oauth.OAuthServlet.handleAuthorizationResponse(OAuthServlet.java:187)
at com.netiq.idm.auth.oauth.OAuthServlet.doGet(OAuthServlet.java:70)
Parents
  • On 1/29/2019 2:24 PM, c-pkalla wrote:
    >
    > Hi,
    >
    > IdM 4.7.2 complain oauth issuer host URL:443. Appreciated any have
    > solution.
    > OSP Log
    > ---------
    > com.netiq.idm.osp.oauth.issuer:
    > https://www.host:443/osp/a/idm/auth/oauth2
    >
    > ism-config...properties
    > ----------------------
    > com.netiq.idm.osp.oauth.issuer =
    > ${com.netiq.idm.osp.url.host}/osp/a/idm/auth/oauth2 May I use Static
    > URL?


    Hey KP! Hope you do not get buried in the snow today out there in the
    middle of the state.

    Using 443 is a pain in OSP.

    https://test.com/

    and https://test.com:443/ are semantically the same.

    HOWEVER, browsers, being your intellectual betters, (Never doubt your
    browser overlords... All hail the great browser! Mozilla, Chrome, we
    worship your burnished glory) they 'fix' the :443 that you explicitly
    type, and remove it.

    So now, in OSP you configured it as:
    https://test.com:443/

    So you MUST come into the OSP instance via HTTPS on :443.

    But the browser said, https is always 443 by default, so don't be silly,
    we don't need no steenkin 443 and rewrites it to:
    https://test.com/

    OSP follows the standard (per Steve) very strictly and says,
    https://test.com/ is NOT the same as https://test.com:443/

    So OSP fails to let you in.

    Annoying as heck, right?

    Ok, easy peasy fix, in configupdate.sh I will simply leave the port
    blank right?

    Nope, won't save. So you put in 443, and then you edit the
    ism-configuration.properties file to remove the 443. I forget which
    specific lines, but it is only 3 or 4 of them as I recall.

    Which is intensely stupid as a solution, but it works.

    And if you read your error message, that is exactly what it is saying:

    Expected: 'www.host:443/.../oauth2; actual:
    'www.host/.../oauth2'.

    It is complaining about the :443 missing.


    > Login into to the idmdash
    > ----------------
    > <Fault>
    > <Code>
    > <Value>Receiver</Value>
    > <Subcode>
    > <Value>AuthServerUnavailable</Value>
    > </Subcode>
    > </Code>
    > <Reason>
    > <Text>
    > An error occurred while attempting to contact the authentication
    > service.
    > </Text>
    > </Reason>
    > </Fault>
    >
    > Catalina.log
    > ---------------
    > ERROR [com.netiq.idm.auth.oauth.OAuthServlet]
    > (https-jsse-nio-8443-exec-20) [RBPM] An error occurred while attempting
    > to contact the authentication service.
    > com.novell.common.auth.ValidationException:
    > internal.atlaslite.jcce.oauth2.discovery.WrongIssuerException: Invalid
    > issuer. Expected: 'www.host:443/.../oauth2; actual:
    > 'www.host/.../oauth2'.
    > at
    > com.netiq.idm.auth.oauth.OAuthServlet.handleAuthorizationResponse(OAuthServlet.java:187)
    > at com.netiq.idm.auth.oauth.OAuthServlet.doGet(OAuthServlet.java:70)
    >
    >


  • awesome! It's worked. You are the magic man :).
Reply Children