OpenIG 4.0 Relying party client failing

This topic has 6 replies, 2 voices, and was last updated 4 years, 5 months ago by Nav.

  • Author
    Posts
  • #21133
     Nav
    Participant

    Hello All,

    I am trying to configure OpenIG exactly as described in the below documentation link including the routing json file configuration
    https://backstage.forgerock.com/docs/openig/4/gateway-guide/index.html#chap-oauth2-client

    When I am testing the URL http://openig.example.com:8080/openid, It redirected to OpenAM for authenticattion, Requested consent on successful authentication and It finally FAILS at callback URL and I see below exception in OpenIG logs.

    GET http://openig.example.com:8080/openid/callback?code=a4573fd4-1fca-3320-984b-f447c798fbaf&scope=openid%20profile&state=mk6l2u96wzmkyjio1c4ryjo38o4ywgb:http://openig.example.com:8080/openid HTTP/1.1
    accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    accept-encoding: gzip, deflate
    accept-language: en-US;q=1,en;q=0.9
    cache-control: max-age=0
    connection: keep-alive
    cookie: NID=120=n41y8uLbaVhAQM5H97G-x-v8X1lQaq5Dy1fO05Ffs6OAfEGVSuic7vFuRtDFIhnHYg9RztffsdfREZVvLfKid2bItBVFxN-NKDZ8SriZ9xDRfNCzn3CoRXOFSQSotNWR_Uh; amlbcookie=01; JSESSIONID=C9F2D139FB3ffsC4D8DC12D60BA881E669; iPlanetDirectoryPro=AQIC5wM2LY4Sfsdffcwuh5tmfm_j1xtqe8Jfq2dfDfrhgqWEPiA.*AAJTSQACMDEAAlNfsdLAMDIwNTU0ODM3OTQyODQyNDYzAAJTMQAA*
    host: openig.example.com:8080
    referer: http://openam.example.com:8080/openam/oauth2/authorize?response_type=code&client_id=OpenIG&redirect_uri=http%3A%2F%2Fopenig.example.com%3A8080%2Fopenid%2Fcallback&scope=openid%20profile&state=mkmldu96wzmkyjio1c4ryjo38o4ywgb%3Ahttp%3A%2F%2Fopenig.example.com%3A8080%2Fopenid
    upgrade-insecure-requests: 1
    user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36

    ——————————
    THU MAR 08 06:53:18 UTC 2018 (WARNING) ClientHandler
    null
    [ SocketTimeoutException] > null

    java.net.SocketTimeoutException
    at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.timeout(HttpAsyncRequestExecutor.java:351)
    at org.apache.http.impl.nio.client.InternalIODispatch.onTimeout(InternalIODispatch.java:92)
    at org.apache.http.impl.nio.client.InternalIODispatch.onTimeout(InternalIODispatch.java:39)
    at org.apache.http.impl.nio.reactor.AbstractIODispatch.timeout(AbstractIODispatch.java:177)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.sessionTimedOut(BaseIOReactor.java:265)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.timeoutCheck(AbstractIOReactor.java:494)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.validate(BaseIOReactor.java:215)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:282)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
    at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:590)
    at java.lang.Thread.run(Thread.java:748)
    ——————————
    THU MAR 08 06:53:18 UTC 2018 (WARNING) {OAuth2ClientFilter}/handler/config/filters/0
    error=”server_error”, error_description=”Unable to exchange access token [status=502]”
    ——————————
    THU MAR 08 06:53:18 UTC 2018 (INFO) @Capture[{Router}/handler]

    <— (response) id:d4nd8d738-5b55-44b6-80d5-25abmkmdf2ce5-48 —

    Can someone help me point out where I am going wrong?

    • This topic was modified 4 years, 5 months ago by Nav.
    #21135
     Joachim Andres
    Participant

    Hi Nav,

    Please check the corresponding AM debug logs (set them to level “message”) – you’ll likely find more information there.

    I ran into a similar situation recently – with AM 5.5 and IG 5.5 however. For what it’s worth – what helped me resolve is paragraph “Server Error When OAuth 2.0 or OpenID Connect Clients Request Access Tokens” in AM 5.5 release notes :
    https://backstage.forgerock.com/docs/am/5.5/release-notes/#limitations

    Cheers,
    Joachim

    #21136
     Nav
    Participant

    Thanks for the help Joachim. I was able to find something in the logs after I enable them in message mode. It seems like OpenAM failed while performing LDAP operation related to CTS.

    OAuth2Provider:03/08/2018 07:58:25:138 AM UTC: Thread[http-bio-8080-exec-5,5,main]: TransactionId[918005d7-a3e1-46fb-8c31-68a7361dd927-165]
    DefaultOAuthTokenStoreImpl::Creating Authorization code
    OAuth2Provider:03/08/2018 07:58:25:437 AM UTC: Thread[http-bio-8080-exec-6,5,main]: TransactionId[918005d7-a3e1-46fb-8c31-68a7361dd927-169]
    Reading Authorization code: 33a09555-80c2-48e3-babf-392f247e8088
    OAuth2Provider:03/08/2018 07:58:35:533 AM UTC: Thread[http-bio-8080-exec-6,5,main]: TransactionId[918005d7-a3e1-46fb-8c31-68a7361dd927-169]
    ERROR: DefaultOAuthTokenStoreImpl::Unable to update authorization code {scope=[openid, profile], realm=/, token_type=Bearer, expires_in=109}
    org.forgerock.openam.cts.exceptions.CoreTokenException:
    CTS:
    CTS: Operation failed:
    Result Code: Client-Side Timeout
    Diagnostic Message: The request has failed because no response was received from the server within the 10000 ms timeout
    Matched DN:
    at org.forgerock.openam.cts.impl.queue.AsyncResultHandler.getResults(AsyncResultHandler.java:103)
    at org.forgerock.openam.cts.monitoring.impl.queue.TokenMonitoringResultHandler.getResults(TokenMonitoringResultHandler.java:50)
    at org.forgerock.openam.cts.monitoring.impl.queue.TokenMonitoringResultHandler.getResults(TokenMonitoringResultHandler.java:27)
    at org.forgerock.openam.cts.CTSPersistentStoreImpl.update(CTSPersistentStoreImpl.java:97)
    at org.forgerock.openam.oauth2.OAuthTokenStore.update(OAuthTokenStore.java:107)
    at org.forgerock.openam.oauth2.OpenAMTokenStore.updateAuthorizationCode(OpenAMTokenStore.java:631)
    at org.forgerock.oauth2.core.AuthorizationCodeGrantTypeHandler.handle(AuthorizationCodeGrantTypeHandler.java:149)
    …………….
    ……………
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
    Caused by: org.forgerock.openam.sm.datalayer.api.LdapOperationFailedException:
    CTS: Operation failed:
    Result Code: Client-Side Timeout
    Diagnostic Message: The request has failed because no response was received from the server within the 10000 ms timeout
    Matched DN:
    at org.forgerock.openam.cts.impl.LdapAdapter.update(LdapAdapter.java:137)
    at org.forgerock.openam.cts.impl.LdapAdapter.update(LdapAdapter.java:54)
    …………….
    ……………
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    … 1 more

    OAuth2Provider:03/08/2018 07:58:35:540 AM UTC: Thread[http-bio-8080-exec-6,5,main]: TransactionId[918005d7-a3e1-46fb-8c31-68a7361dd927-169]
    WARNING: Unhandled exception: Internal error (500) – Could not update token in CTS
    Internal error (500) – Could not update token in CTS
    at org.forgerock.openam.oauth2.OpenAMTokenStore.updateAuthorizationCode(OpenAMTokenStore.java:643)
    at org.forgerock.oauth2.core.AuthorizationCodeGrantTypeHandler.handle(AuthorizationCodeGrantTypeHandler.java:149)
    at org.forgerock.oauth2.core.GrantTypeHandler.handle(GrantTypeHandler.java:82)
    at org.forgerock.oauth2.core.AccessTokenServiceImpl.requestAccessToken(AccessTokenServiceImpl.java:92)
    at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointReso
    ………………..
    ………………..
    ERROR: Unable to read refresh token corresponding to id: T3BlbklHOnBhc3N3b3Jk

    I believe I skipped section for configuring CTS(https://backstage.forgerock.com/docs/openam/13/install-guide/index.html#chap-cts) during initial setup. As this is a single Site, I thought I could skip this CTS section. Is it really necessary for OpenAM instance running only one node pointed to one instance of OpenDJ LDAP.

    Thanks,
    Nav

    #21153
     Joachim Andres
    Participant

    Hi Nav,

    You should not need to setup anything specific on AM other than the OAuth2 Service. The embedded DJ is setup for CTS purposes, but you have to prepare DJ if you are using an external CTS. Can you check with another ldap client if OpenDJ responds properly and the AM can effectively talk to DJ ?

    Cheers,
    Joachim

    #21157
     Nav
    Participant

    Thanks, Joachim. I tried to connect to my LDAP using ldapsearch utilities in OpenDJ and was able to connect successfully without any issues. I also observed that token entries are created in the below OUs directly under the base DN in my external OpenDJ.

    ou=tokens,dc=example,dc=com
    ou=openam-session,ou=tokens,dc=example,dc=com
    ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com

    I tried running the indexing commands to make sure performance is not a concern even though it has just one user in LDAP. Stil didn’t help and keep getting the below exception.I also made sure the all the ports are open especially 1389(LDAP) and 4444(AdminPort).

    ERROR: DefaultOAuthTokenStoreImpl::Unable to update authorization code {scope=[openid, profile], realm=/, token_type=Bearer, expires_in=101}
    org.forgerock.openam.cts.exceptions.CoreTokenException:
    CTS:
    CTS: Operation failed:
    Result Code: Client-Side Timeout
    Diagnostic Message: The request has failed because no response was received from the server within the 10000 ms timeout
    Matched DN:
    at
    org.forgerock.openam.cts.impl.queue.AsyncResultHandler.getResults(AsyncResultHandler.java:103)
    at org.forgerock.openam.cts.monitoring.impl.queue.TokenMonitoringResultHandler.getResults(TokenMonitoringResultHandler.java:50)
    at org.forgerock.openam.cts.monitoring.impl.queue.TokenMonitoringResultHandler.getResults(TokenMonitoringResultHandler.java:27)
    at org.forgerock.openam.cts.CTSPersistentStoreImpl.update(CTSPersistentStoreImpl.java:97)
    ………………………………………………
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
    Caused by: org.forgerock.openam.sm.datalayer.api.LdapOperationFailedException:
    CTS: Operation failed:
    Result Code: Client-Side Timeout
    Diagnostic Message: The request has failed because no response was received from the server within the 10000 ms timeout
    Matched DN:
    at org.forgerock.openam.cts.impl.LdapAdapter.update(LdapAdapter.java:137)

    Is there anything else that I may be still missing?

    Thanks,
    Nav

    #21167
     Joachim Andres
    Participant

    Have you checked the DJ logs directly ? You should check if the operation request was received by DJ and what exact operation DJ is trying to execute (and which takes longer than 10000ms).

    #21172
     Nav
    Participant

    Hi Joachim,

    This seems like a network issue. Because I restarted all components including OpenAM, OpenIG, and OpenDJ and still keep getting the error.

    Then I just tried to refresh the below URL where it stopped and throwing socket timeout and then finally it redirected me to the backend application where I am printing all custom Headers set by OpenIG StaticRequestFilter by extracting user info from “attributes.openid.user_info.**” attributes. Below is the tags set in OpenIG route config:

    “filters”: [
    {
    “type”: “StaticRequestFilter”,
    “config”: {
    “method”: “POST”,
    “uri”: “http://backednapp.example.com/headers.jsp&#8221;,
    “headers”: {
    “access_token”: [
    “${attributes.openid.access_token}”
    ],
    “id_token”: [
    “${attributes.openid.id_token}”
    ],
    “name”: [
    “${attributes.openid.user_info.name}”

    Thanks,
    Nav

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?