OAuth2 – no redirect after authorize request

Tagged: ,

This topic has 5 replies, 2 voices, and was last updated 7 years, 8 months ago by jl_0815.

  • Author
    Posts
  • #2835
     jl_0815
    Participant

    Hi,

    I’ve set up a OpenAM 12 cluster and tried to configure OAuth2.
    Now I try to authorize a OAuth2 client as follows.

    Step 1) https://externalname.example.com/openam/oauth2/authorize?response_type=code&client_id=MyClient&redirect_uri=https://externalname.example.com

    Step 2) get a login page and authenticate a test user
    Step 3) OpenAM shows a “You have been successfully loged in” message but does not redirect to the redirect_uri

    If I log in the test user first and call the same URL the redirect to the allow/deny page is working fine.

    Can anybody give me a hint what I forgot to configure please?

    Thanks in advance.

    JL

    #2838
     jl_0815
    Participant

    Hi again.

    I have some additional information.
    My setup uses an external OpenDJ for OpenAM configuration and the CTS.
    As user store I have to use an existing OpenLDAP server.

    I checked step 1 with HTTP live headers and see a GET to

    https://externalname.example.com/openam/json/users/mytestuser which returns a HTTP 404

    Then I tried to create a user in the OpenDJ. With this user I can login and if I try to GET the

    https://externalname.example.com/openam/json/users/myopendjtestuser it returns a json object with the user data.

    So I think there’s something wrong in my datastore setup?

    JL

    #2856
     Peter Major
    Moderator

    Most likely there is a discrepancy between the authentication module and the data store settings. Is “mytestuser” stored under the search attribute configured in the data store?

    #2866
     jl_0815
    Participant

    Hi Peter,

    thanks for your reply. I checked the OpenAM debug log and it seems that OpenAM does not use the OpenLDAP data store.
    In the debug log I only see entries for OpenDJ. If I check “Access Control >> Top Level Realm >> Subjects” in OpenAM I see all user objects from OpenLDAP including “mytestuser”.

    When I do the login with “mytestuser” I see the following exceptions
    “Unable to find entry with name: mytestuser under searchbase: ou=users,dc=example,dc=com with scope: sub”
    and
    “Unable to get members for identity user::mytestuser in any configured data store”.
    I really don’t know why I am getting the green “You have been successfully loged in” message in this case :o/

    “dc=example,dc=com” is the base DN in OpenDJ. In OpenLDAP the base DN is “o=example,c=com” and mytestuser is placed in “ou=users,o=example,c=com”.

    Hope this helps. If I can provide additional information, log files or configuration settings please let me know.

    Thank you!

    JL

    #2869
     Peter Major
    Moderator

    Could be then that you are accessing the authorize endpoint for the wrong realm? Or did you set up OpenLDAP and OpenDJ data stores within a single realm? If yes, why?

    #2933
     jl_0815
    Participant

    Hi Peter.

    Thank you for the hint with the two datastores within one realm. I have deleted the OpenDJ store in the “Access Control >> Top Level Realm” configuration and the OAuth2 workflow is working now.

    First I had a single server test setup and there was the embedded OpenDJ datastore besides the OpenLDAP and it was working. So I thought the OpenDJ have to be there.

    Thanks again!

    JL

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?