@shegergmail-comactive 3 weeks ago
Forum Replies Created
September 28, 2021 at 7:27 pm #28702
I had someone else have this issue and it was in fact due to using Tomcat 10. Use Tomcat 9 as Andrew suggests and you should be fine.September 8, 2021 at 2:17 am #28688
In your very first access_token request if you include the scope “openid” then AM will return an id_token along with the access_token….assuming you set up your realm as an OpenID Connect provider. So:
curl --location --request POST 'http://am.example.com:8080/am/oauth2/realms/root/access_token' \ --header 'Authorization: Basic c3RldmU6cGFzc3dvcmQ=' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'username=user1' \ --data-urlencode 'password=7fYCi0Frhcq5p3gCXGxJ2B' \ --data-urlencode 'scope=cn openid'August 16, 2021 at 8:51 pm #28657
I assume your identity store is OpenDJ. What version of that are you using? There may be a way to use an LDAP filter condition in your policy vs group membership but I need to check what your version of DJ provides with regards to static groups.August 12, 2021 at 6:22 pm #28650
Are you using static or dynamic groups?December 14, 2020 at 5:16 pm #28408
IdUtils.getIdentity(username, realm, realmAliasAttrs);December 4, 2020 at 7:54 pm #28401
You may want to post this question in the IDM channel as it is more related to that. You’d probably get a response over there.
ScottNovember 19, 2020 at 7:08 pm #28372
One resource that helped me when testing/using the JWT Bearer Flow where I had a Trusted JWT Issuer that used a JWK Set was this: https://8gwifi.org/jwkconvertfunctions.jsp. It allows you to convert a PEM to a JWK so you can populate your JWK Set properly from the PEM of your public key. Just tossing this out there as it is related to the topic.November 12, 2020 at 5:10 pm #28360
Do you have CORS enabled by any chance?November 12, 2020 at 5:06 pm #28359
You can fully test the JWT bearer flow using tools other than the sample code if you don’t have access to it. You would need a tool that can generate a proper jwt (something like https://kjur.github.io/jsrsasign/tool/tool_jwt.html) and then a REST client like Postman. This is how I tested and validated this flow for one of my customers and it worked like a charm.October 7, 2020 at 6:49 pm #28322
Good idea!October 7, 2020 at 1:23 am #28318
Keep in mind that you can modify the isAlive.jsp page to fit your needs. By default it makes an authenticated call to the config store and if that is successful it will return an HTTP 200 response along with a message body that has the text “Server is ALIVE:”. If that call to the config store is unsuccessful then isAlive.jsp returns an HTTP 500 response. Being a simple JSP you can modify that to return or do whatever you want it to. Of course if the server’s container (e.g. Tomcat) is actually down then your health monitor would get a connection timeout when calling that page. As Jatinder mentioned, IG could also help, assuming you have IG in front of AM. In either case you would have to trigger something to make either AM or IG act differently with regard to the healthcheck in order to make your health monitor route properly.
Oh and @jsingh if you are looking for some work (based on your name), hit me up on LinkedIn. I’ve got plenty. :)September 25, 2020 at 5:35 pm #28305
See if this helps: https://github.com/OpenIdentityPlatform/OpenAM/releasesAugust 27, 2020 at 10:30 pm #28234
lolAugust 27, 2020 at 10:29 pm #28232
Probably related to https://bugster.forgerock.org/jira/browse/OPENAM-16271 which would explain why it works in v7.August 27, 2020 at 5:35 am #28229
Creating of the subscribers realm is performed in Chapter 1, Lesson 1, Exercise 2, Task 2. Seems you may have missed this step.