Highlighted
Absent Member.
Absent Member.
560 views

IdM 4.7.2 complain about oauth issuer host "URL:443/.."

Hi,

IdM 4.7.2 complain oauth issuer host URL:443. Appreciated any have solution.
OSP Log
---------
com.netiq.idm.osp.oauth.issuer: https://www.host:443/osp/a/idm/auth/oauth2

ism-config...properties
----------------------
com.netiq.idm.osp.oauth.issuer = ${com.netiq.idm.osp.url.host}/osp/a/idm/auth/oauth2 May I use Static URL?

Login into to the idmdash
----------------
<Fault>
<Code>
<Value>Receiver</Value>
<Subcode>
<Value>AuthServerUnavailable</Value>
</Subcode>
</Code>
<Reason>
<Text>
An error occurred while attempting to contact the authentication service.
</Text>
</Reason>
</Fault>

Catalina.log
---------------
ERROR [com.netiq.idm.auth.oauth.OAuthServlet] (https-jsse-nio-8443-exec-20) [RBPM] An error occurred while attempting to contact the authentication service.
com.novell.common.auth.ValidationException: internal.atlaslite.jcce.oauth2.discovery.WrongIssuerException: Invalid issuer. Expected: 'https://www.host:443/osp/a/idm/auth/oauth2; actual: 'https://www.host/osp/a/idm/auth/oauth2'.
at com.netiq.idm.auth.oauth.OAuthServlet.handleAuthorizationResponse(OAuthServlet.java:187)
at com.netiq.idm.auth.oauth.OAuthServlet.doGet(OAuthServlet.java:70)
Labels (1)
0 Likes
8 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: IdM 4.7.2 complain about oauth issuer host "URL:443/.."

On 1/29/2019 2:24 PM, c-pkalla wrote:
>
> Hi,
>
> IdM 4.7.2 complain oauth issuer host URL:443. Appreciated any have
> solution.
> OSP Log
> ---------
> com.netiq.idm.osp.oauth.issuer:
> https://www.host:443/osp/a/idm/auth/oauth2
>
> ism-config...properties
> ----------------------
> com.netiq.idm.osp.oauth.issuer =
> ${com.netiq.idm.osp.url.host}/osp/a/idm/auth/oauth2 May I use Static
> URL?


Hey KP! Hope you do not get buried in the snow today out there in the
middle of the state.

Using 443 is a pain in OSP.

https://test.com/

and https://test.com:443/ are semantically the same.

HOWEVER, browsers, being your intellectual betters, (Never doubt your
browser overlords... All hail the great browser! Mozilla, Chrome, we
worship your burnished glory) they 'fix' the :443 that you explicitly
type, and remove it.

So now, in OSP you configured it as:
https://test.com:443/

So you MUST come into the OSP instance via HTTPS on :443.

But the browser said, https is always 443 by default, so don't be silly,
we don't need no steenkin 443 and rewrites it to:
https://test.com/

OSP follows the standard (per Steve) very strictly and says,
https://test.com/ is NOT the same as https://test.com:443/

So OSP fails to let you in.

Annoying as heck, right?

Ok, easy peasy fix, in configupdate.sh I will simply leave the port
blank right?

Nope, won't save. So you put in 443, and then you edit the
ism-configuration.properties file to remove the 443. I forget which
specific lines, but it is only 3 or 4 of them as I recall.

Which is intensely stupid as a solution, but it works.

And if you read your error message, that is exactly what it is saying:

Expected: 'https://www.host:443/osp/a/idm/auth/oauth2; actual:
'https://www.host/osp/a/idm/auth/oauth2'.

It is complaining about the :443 missing.


> Login into to the idmdash
> ----------------
> <Fault>
> <Code>
> <Value>Receiver</Value>
> <Subcode>
> <Value>AuthServerUnavailable</Value>
> </Subcode>
> </Code>
> <Reason>
> <Text>
> An error occurred while attempting to contact the authentication
> service.
> </Text>
> </Reason>
> </Fault>
>
> Catalina.log
> ---------------
> ERROR [com.netiq.idm.auth.oauth.OAuthServlet]
> (https-jsse-nio-8443-exec-20) [RBPM] An error occurred while attempting
> to contact the authentication service.
> com.novell.common.auth.ValidationException:
> internal.atlaslite.jcce.oauth2.discovery.WrongIssuerException: Invalid
> issuer. Expected: 'https://www.host:443/osp/a/idm/auth/oauth2; actual:
> 'https://www.host/osp/a/idm/auth/oauth2'.
> at
> com.netiq.idm.auth.oauth.OAuthServlet.handleAuthorizationResponse(OAuthServlet.java:187)
> at com.netiq.idm.auth.oauth.OAuthServlet.doGet(OAuthServlet.java:70)
>
>


0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: IdM 4.7.2 complain about oauth issuer host "URL:443/.."

Geoffrey Carman wrote:

> But the browser said, https is always 443 by default, so don't be silly, we
> don't need no steenkin 443 and rewrites it to: https://test.com/
>
> OSP follows the standard (per Steve) very strictly and says,
> https://test.com/ is NOT the same as https://test.com:443/


Browsers will surely realize their fault any moment (if only someone tagged
them on twitter about it...) - no need to adapt OSP or configupdate.sh to
reality, right?
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: IdM 4.7.2 complain about oauth issuer host "URL:443/.."

On 1/30/2019 2:34 AM, Lothar Haeger wrote:
> Geoffrey Carman wrote:
>
>> But the browser said, https is always 443 by default, so don't be silly, we
>> don't need no steenkin 443 and rewrites it to: https://test.com/
>>
>> OSP follows the standard (per Steve) very strictly and says,
>> https://test.com/ is NOT the same as https://test.com:443/

>
> Browsers will surely realize their fault any moment (if only someone tagged
> them on twitter about it...) - no need to adapt OSP or configupdate.sh to
> reality, right?


Do you believe that? They all do it. IE, Chrome, Firefox, etc.


0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: IdM 4.7.2 complain about oauth issuer host "URL:443/.."

Can't be sarcasm without a smiley, right? 😉
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: IdM 4.7.2 complain about oauth issuer host "URL:443/.."

On 1/30/2019 12:34 PM, Lothar Haeger wrote:
> Can't be sarcasm without a smiley, right? 😉


It is your accent. Hard to hear the sarcasm when you type with that
thick accent.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: IdM 4.7.2 complain about oauth issuer host "URL:443/.."

awesome! It's worked. You are the magic man :).
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: IdM 4.7.2 complain about oauth issuer host "URL:443/.."

On 1/30/2019 11:04 AM, c-pkalla wrote:
>
> awesome! It's worked. You are the magic man :).


Tell your boss. 🙂 Glad it worked.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: IdM 4.7.2 complain about oauth issuer host "URL:443/.."

On 1/30/2019 11:04 AM, c-pkalla wrote:
>
> awesome! It's worked. You are the magic man :).
>
>

Do remember, every time you touch it with configupdate.sh, you have to
remember to go back and fix it again here. It is so very annoying.

Seems like fixing configupdate.sh to allow you to skip a port would
simply fix this. And yet, we wait.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.