OpenAM Google Oauth Authentication failure

This topic has 5 replies, 2 voices, and was last updated 1 week, 6 days ago by venky.t92.

  • Author
    Posts
  • #28112
     venky.t92
    Participant

    Hello All,

    I am new to Forgerock OpenAM and making baby steps to learn the product on my own by doing PoC. I integrated Google OAuth2.0 as an authentication module. When I try to test the authentication module, I am redirected to google authentication page and after successful login at google side, The page redirects to openAM side with Authentication Error. Thereafter the page stays as loading and nothing happens next.

    It would be helpful if I can get answers to below:
    1. How to set up logging to debug this kind of issue? I explored Configuration->Logging and I get amSSO.access, Oauth2provider.access, Oauth2provider.error. These logs don’t have relevant messages.
    2. What could be the issue? From the browser, I can see the error comes after it redirects to openAM

    #28113
     venky.t92
    Participant

    Just to add: The same happens with Facebook OAuth too. I am redirected to FB for auth and while redirecting back to openAM, I see Authentication Error!! and the page says loading and stays there forever.

    Note: I used Config Social Authentication ->Configure Facebook authentication and just inputted app id and secret. I didn’t make any changes to the default configuration.

    #28120
     Jatinder Singh
    Participant

    In order to debug this, I suggest set the Debug level for OAuth2Provider to Message. You can do this by putting /Debug.jsp endpoint in front of your AM context. E.g. https://am.example.com/am/Debug.jsp. You don’t have to restart AM for this setting to take place. The debug logs will be available in your AM config directory and the debug folder.

    Provided your redirect_uri is correct, authentication errors are also communicated in the redirect process via error and error_description parameters. Do you see any error being returned by Google or Facebook authorization servers?

    #28131
     venky.t92
    Participant

    Hi Jatinder, Many thanks for your response. It really helped. I enabled the debug logs and I see below exception for both Facebook and Google OAuth.

    javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    I am currently using self signed SSL certificate in my PoC environment. I also imported the self signed certificate to java/bin/security/cacerts. I still get the above exception and after this exception it throws Authentication Error!! both in UI and logs. I understand this is something related to the self signed certificate. It would really help if you can provide me your inputs on this exception(If you have faced this exception in any of your deployments).

    Once again Thank you for your time and response.

    Regards,
    Venky

    #28132
     Jatinder Singh
    Participant

    It’s a Trust issue. Did you restart your container after loading that cert? And are you able to access AM console through your browser?

    #28139
     venky.t92
    Participant

    Hi Jatinder, Yes, I tried restarting the container as well as the server where I have installed openam. Still, I get the same error. I am able to access the console through the browser without any SSL/TLS errors on the https port.

    Exception
    javax.security.auth.login.LoginException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    I also noticed the sessionID error below in the logs.

    Could not get SSOToken from context
    com.iplanet.sso.SSOException: SessionID is empty

    Thank you for your time and response.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?