OAuth2 Invalid grant error on access token endPoint

This topic has 26 replies, 3 voices, and was last updated 5 years, 2 months ago by anta.

  • Author
    Posts
  • #18101
     Scott Heger
    Participant

    Log in using https://openam.tech.aws.info:8443/openam/auth/XUI/#login/ as amadmin. Click on your tech realm then in the left hand menu go to Authentication->Modules->LDAP. In there you will see what is set for “DN to Start User Search”. Change if necessary.

    If you made the persistent search controls change via OpenDJ directly then you would probably want to restart OpenAM to ensure it picked up that config change.

    #18102
     anta
    Participant

    The “DN to Start User Search” in the OpenAm console is the same value found in the xml config file. I restart my container with the openAm but the log is still with the value “dc=openam,dc=forgerock,dc=org” and in the openAM console I have the new value for the persistant search. I’m clueless here

    #18103
     Scott Heger
    Participant

    Hmmm. Can you try using the DataStore module to see if that works?

    #18104
     anta
    Participant

    I’m not sure what you mean by using the datastore module. In Authentication > Modules ? if yes sorry but I don’t really see how to use it to check the user connection

    #18105
     Scott Heger
    Participant

    In your tech realm go to Authentication->Settings->Core and find what is set for “Organization Authentication Configuration”. By default that would be set to the chain called “ldapService”. The default authentication module in the ldapService chain is the DataStore module. Since it looks like you are using a chain that has the LDAP module in it I’m guessing that either your ldapService chain was changed to use LDAP or you have another chain created with LDAP in it that is set as your “Organization Authentication Configuration” chain. However you have it I am suggesting that you change your setting so that whatever chain is set for “Organization Authentication Configuration” that it contains DataStore vs LDAP.

    Another option, and maybe easier, is to simply add to your request the auth chain you want to use:

    
    POST /openam/oauth2/access_token?realm=/tech HTTP/1.1
    Host: openam.tech.aws.info:8443
    Authorization: Basic b2F1dGhBZ2VudDp5dXZ3ODlmZioq
    Content-Type: application/x-www-form-urlencoded
    
    username=user&password=pwd&grant_type=password&auth_chain=ldapService
    
    #18106
     Scott Heger
    Participant

    Sorry, I forgot we were trying to test authentication via the console and not with OAuth. But you can try what I posted or if you want to try with the console then you can specify the authentication chain with the service parameter. Just add &service=ldapService to your login URL to the console. Again assuming your ldapService chain still has DataStore as the only module in it. If not, specify the chain that does.

    #18112
     anta
    Participant

    I could login into the openAm console directly to the realm to the module DataStore like this :

    http://openam.tech.aws.info:8080/openam/XUI/?realm=/tech#login&module=DataStore

    Then I access to the page with my realm displayed but I get a 403 error :

    {code: 403, reason: "Forbidden", message: "The user has insufficient privileges"}

    So I can see the page with the realm but I can’t access to it

    #18113
     anta
    Participant

    Ok, I tried to increase the user privileges. It solve the 403 error but I still have a invalid grant with the access token endpoint. Also my ldapService chain only contains the LDAP module and no DataStore

    #18117
     Scott Heger
    Participant

    Ok, so your ldapService chain was modified from the default. I usually leave that one alone and create other chains for my specific uses. So, we’re still trying to see if the issue is specific to your LDAP auth module. Can you temporarily change your ldapService chain back to have the DataStore module vs LDAP? Then try both logging in via the console and via OAuth. If that works, then you could try to delete and recreate your LDAP module, and add back to your ldapService (or preferably some other chain to keep ldapService at its default).

    #18196
     anta
    Participant

    So finally yes, it’s what I did. I created a chain just with the datastore module and it’s working fine so I think indeed it’s comming from my LDAP module. Thanks a lot for you precious help

Viewing 10 posts - 16 through 25 (of 25 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?