Problem getting UMA 2.0 RPT in AM 6

Tagged: , ,

This topic has 3 replies, 2 voices, and was last updated 4 years, 2 months ago by jotellier.

  • Author
    Posts
  • #22589
     jotellier
    Participant

    Hello,

    I’m trying to set up a demo UMA 2.0 configuration in AM 6. I’m following this procedure:

    https://backstage.forgerock.com/docs/am/6/uma-guide/#chap-uma-implementation

    Everything works until I’m trying to get the RPT

    https://backstage.forgerock.com/docs/am/6/uma-guide/#obtain-rpt

    I’m getting the following error:

    {"error_description":"The provided access grant is invalid, expired, or revoked.","error":"invalid_grant"}

    The doc mentions that this error can happen when the UMA permission ticket is expired. I’ve made it expire after 36000 seconds instead of the default 120 seconds, so that’s not the cause of my issue.

    When looking at AM access.audit.json logs, I see the following error:

    {"realm":"/","transactionId":"7bd60c7f-fb1a-467e-9b57-21c24b50801c-30011","userId":"id=UmaClient,ou=agent,dc=openam,dc=forgerock,dc=org","timestamp":"2018-07-23T15:25:45.152Z","eventName":"AM-ACCESS-OUTCOME","component":"OAuth","response":{"status":"FAILED","statusCode":"400","elapsedTime":31,"elapsedTimeUnits":"MILLISECONDS","detail":{"reason":"The request could not be understood by the server due to malformed syntax"}},"client":{"ip":"192.168.56.1","port":50204},"server":{"ip":"192.168.56.101","port":8080},"http":{"request":{"secure":false,"method":"POST","path":"http://am.jtellier.com:8080/openam/oauth2/access_token","queryParameters":{},"headers":{"accept":["*/*"],"expect":["100-continue"],"host":["am.jtellier.com:8080"],"user-agent":["curl/7.54.0"]},"cookies":{}}},"trackingIds":["7bd60c7f-fb1a-467e-9b57-21c24b50801c-30012"],"_id":"7bd60c7f-fb1a-467e-9b57-21c24b50801c-30024"}

    The error talks about a malformed syntax, but my curl command as the same format as the now that’s given as an example. Here’s the curl command that I’m using:

    curl -X POST   \
      --header 'authorization: Basic VW1hQ2xpZW50OlBhc3N3b3JkMQ==' \
      --header 'cache-control: no-cache' \
      --header 'content-type: application/x-www-form-urlencoded' \
      --data 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
      --data 'ticket=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJodHRwOi8vYW0uanRlbGxpZXIuY29tOjgwODAvb3BlbmFtL29hdXRoMiIsImlzcyI6Imh0dHA6Ly9hbS5qdGVsbGllci5jb206ODA4MC9vcGVuYW0vb2F1dGgyIiwiaXQiOjAsImV4cCI6MTUzMjM5NDUxNywidGlkIjoiYTM5Y2U5ZjItYWFlZi00Nzg2LWEwNTEtMGRlYmQ4MjdiNWUwMCIsImZvcmdlcm9jayI6eyJzaWciOiI5TGY2YjxoZls8KXtLZ301I05UajFTQFBbKk5TK2lGODZCQURISitjIn19.w2oQbYDJiMcYcRrXTbF6yDG7bw0M_exkP1y5U3_rfhE' \
      --data 'scope=download' \
      --data 'claim_token=eyJ0eXAiOiJKV1QiLCJraWQiOiI0aUNLRkIwUlhJeHl0b3IxcjNUb0JkUmlldnM9IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiVjBRaUNPLU9ubVZqVDFsUHRDSzFRZyIsInN1YiI6ImJvYiIsImF1ZGl0VHJhY2tpbmdJZCI6IjdiZDYwYzdmLWZiMWEtNDY3ZS05YjU3LTIxYzI0YjUwODAxYy0yMzU5MiIsImlzcyI6Imh0dHA6Ly9hbS5qdGVsbGllci5jb206ODA4MC9vcGVuYW0vb2F1dGgyIiwidG9rZW5OYW1lIjoiaWRfdG9rZW4iLCJhdWQiOiJVbWFDbGllbnQiLCJhenAiOiJVbWFDbGllbnQiLCJhdXRoX3RpbWUiOjE1MzIzNTg1NjksInJlYWxtIjoiLyIsImV4cCI6MTUzMjM2MjE2OSwidG9rZW5UeXBlIjoiSldUVG9rZW4iLCJpYXQiOjE1MzIzNTg1Njl9.E-Ql1h9AUHu0ZOG1IsKHM707cp2bL0swJ8SfPTAiIe52FxsUnPBrBDoDZS2C4Bw6zkkuC_Gcl6Rh3wBQ7LwDc9OPYeUzx88lpEzDFhFQmNVIZsVNfbu1DU97wJ-q0yawNaHoXcDtPLhiECJ2hJw1cPz2HO08_IdlpYYBLGwG5JgyTtkvlBK34tMAqBp4Lz76ichcnl7DQUXHKYfYR5_orSaTIGbARwZgdTfdRfD1NEc86v_aVhVhryLb4WYNsA_yhOAqk_Z7yfEMUtSZFScUyWUWGRJIUIsjmXmxd2su9weO3lAsvk_DM-E9jbPfvq_G0ormxzq0CYlHo0FLrhYJgg' \
    --data 'claim_token_format=http://openid.net/specs/openid-connect-core-1_0.html#IDToken' \
    http://<am host>:8080/openam/oauth2/access_token

    Do you have any ideas about what could be causing the “malformed syntax” error I’m seeing?

    Thanks.

    #22593

    Hi,

    Does this happen consistently on every request, or sporadically?

    Cheers
    James

    #22595
     jotellier
    Participant

    Hi,

    It’s consistent.

    I’ve also tried to setup IG as a UMA Resource Server, as described here:

    https://backstage.forgerock.com/docs/ig/6.1/gateway-guide/#chap-uma

    I’ve got the same behavior when IG tries to get the RPT.

    Thanks.

    #22645
     jotellier
    Participant

    FYI, I’ve updated AM from 6.0.0.2 to 6.0.0.3 and I’ve still got the same problem.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?