Forum Replies Created

Viewing 15 posts - 1 through 15 (of 529 total)
  • Author
    Posts
  • #28702
     Scott Heger
    Participant

    I had someone else have this issue and it was in fact due to using Tomcat 10. Use Tomcat 9 as Andrew suggests and you should be fine.

    #28688
     Scott Heger
    Participant

    In your very first access_token request if you include the scope “openid” then AM will return an id_token along with the access_token….assuming you set up your realm as an OpenID Connect provider. So:

    curl --location --request POST 'http://am.example.com:8080/am/oauth2/realms/root/access_token' \
    --header 'Authorization: Basic c3RldmU6cGFzc3dvcmQ=' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'grant_type=password' \
    --data-urlencode 'username=user1' \
    --data-urlencode 'password=7fYCi0Frhcq5p3gCXGxJ2B' \
    --data-urlencode 'scope=cn openid'
    #28657
     Scott Heger
    Participant

    I assume your identity store is OpenDJ. What version of that are you using? There may be a way to use an LDAP filter condition in your policy vs group membership but I need to check what your version of DJ provides with regards to static groups.

    #28650
     Scott Heger
    Participant

    Are you using static or dynamic groups?

    #28408
     Scott Heger
    Participant

    Per https://backstage.forgerock.com/docs/am/6.5/auth-nodes/#accessing-user-profile, try using:

    IdUtils.getIdentity(username, realm, realmAliasAttrs);

    #28401
     Scott Heger
    Participant

    Hi Praveen,

    You may want to post this question in the IDM channel as it is more related to that. You’d probably get a response over there.

    Regards,
    Scott

    #28372
     Scott Heger
    Participant

    One resource that helped me when testing/using the JWT Bearer Flow where I had a Trusted JWT Issuer that used a JWK Set was this: https://8gwifi.org/jwkconvertfunctions.jsp. It allows you to convert a PEM to a JWK so you can populate your JWK Set properly from the PEM of your public key. Just tossing this out there as it is related to the topic.

    #28360
     Scott Heger
    Participant

    Do you have CORS enabled by any chance?

    #28359
     Scott Heger
    Participant

    You can fully test the JWT bearer flow using tools other than the sample code if you don’t have access to it. You would need a tool that can generate a proper jwt (something like https://kjur.github.io/jsrsasign/tool/tool_jwt.html) and then a REST client like Postman. This is how I tested and validated this flow for one of my customers and it worked like a charm.

    #28322
     Scott Heger
    Participant

    Good idea!

    #28318
     Scott Heger
    Participant

    Keep in mind that you can modify the isAlive.jsp page to fit your needs. By default it makes an authenticated call to the config store and if that is successful it will return an HTTP 200 response along with a message body that has the text “Server is ALIVE:”. If that call to the config store is unsuccessful then isAlive.jsp returns an HTTP 500 response. Being a simple JSP you can modify that to return or do whatever you want it to. Of course if the server’s container (e.g. Tomcat) is actually down then your health monitor would get a connection timeout when calling that page. As Jatinder mentioned, IG could also help, assuming you have IG in front of AM. In either case you would have to trigger something to make either AM or IG act differently with regard to the healthcheck in order to make your health monitor route properly.

    Oh and @jsingh if you are looking for some work (based on your name), hit me up on LinkedIn. I’ve got plenty. :)

    #28305
     Scott Heger
    Participant
    #28234
     Scott Heger
    Participant

    lol

    #28232
     Scott Heger
    Participant

    Probably related to https://bugster.forgerock.org/jira/browse/OPENAM-16271 which would explain why it works in v7.

    #28229
     Scott Heger
    Participant

    Creating of the subscribers realm is performed in Chapter 1, Lesson 1, Exercise 2, Task 2. Seems you may have missed this step.

Viewing 15 posts - 1 through 15 (of 529 total)