STS “Non-200 response from posting principal from session request”

This topic has 0 replies, 1 voice, and was last updated 3 years, 7 months ago by triton_oidc.

  • Author
    Posts
  • #25721
     triton_oidc
    Participant

    Hi,

    I use AM 6.5.1
    I’ve spent a few hours on this issue, and i don’t know where to look anymore,
    I’m trying to exchange an AM token against an OIDC one.
    as the first step to be able to later exchange an OIDC token against another one

    I followed this article
    https://backstage.forgerock.com/knowledge/kb/article/a94467017

    I replaced some $ by [dollar], otherwise i had an error message from “Sucuri Website Firewall”

    forgerock_token=[dollar](curl -X POST -H "X-OpenAM-Username: user0005" -H "X-OpenAM-Password: user0005" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" [dollar]get_token_url | cut -d '"' -f4)

    With this i got the token

    exchange_url="https://myserver:9443/AM/rest-sts/05/sts?_action=translate"
    curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{ 
         "input_token_state": { "token_type": "OPENAM", "session_id": "[dollar]forgerock_token"},
         "output_token_state": { "token_type": "OPENIDCONNECT", "nonce": "12345678", "allow_access": true } 
    }' [dollar]exchange_url

    but this command returns a
    {"code":500,"reason":"Internal Server Error","message":"Exception caught making principal from session invocation: org.forgerock.openam.sts.TokenValidationException: Non-200 response from posting principal from session request: {"code":401,"reason":"Unauthorized","message":"Access Denied"}"}

    I put the server in debug mode, and in the
    Session log, I see three consecutive JAVA error

    1)

    Could not get SSOToken from context
    com.iplanet.sso.SSOException: SessionID is empty

    2)

    Could not get SSOToken from context
    com.iplanet.sso.SSOException: SessionID is empty

    3)

    ERROR: Exception caught in translateToken call: org.forgerock.openam.sts.TokenValidationException: Exception caught making principal from session invocation: org.forgerock.openam.sts.TokenValidationException: Non-200 response from posting principal from session request: {"code":401,"reason":"Unauthorized","message":"Access Denied"}
    
    org.forgerock.openam.sts.TokenValidationException: Exception caught making principal from session invocation: org.forgerock.openam.sts.TokenValidationException: Non-200 response from posting principal from session request: {"code":401,"reason":"Unauthorized","message":"Access Denied"}

    It seems it’s this piece of code from the old opensource version
    https://github.com/OpenRock/OpenAM/blob/master/openam-sts/openam-common-sts/src/main/java/org/forgerock/openam/sts/token/validator/PrincipalFromSessionImpl.java#L104

    However i don’t know what kind of HttpURLConnection it is, i don’t see it in any debug file

    I saw this on the IdRepo log file :
    RealmsCache.lookup: orgIdentifier users found in unknown org lookup cache.

    For information here is my STS conf :

    cd /opt/forgerock/ ; echo "PWD" > /tmp/passwd ; chmod 400 /tmp/passwd ; /opt/forgerock/AM/bin/ssoadm get-sub-cfg -s RestSecurityTokenService -e "05" -g "05/sts" -u amadmin -f /tmp/passwd | grep -v "=$"
    
    oidc-signature-key-alias=rsajwtsigningkey
    saml2-encrypt-attributes=false
    deployment-realm=/05
    oidc-keystore-password=PWD
    oidc-keystore-location=/opt/tomcat/AM/AM/keystore.jceks
    saml2-sign-assertion=false
    saml2-encrypt-assertion=false
    oidc-signature-key-password=changeit
    saml2-sp-entity-id=fake
    persist-issued-tokens-in-cts=false
    oidc-token-lifetime-seconds=600
    saml2-token-lifetime-seconds=600
    saml2-name-id-format=urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified
    oidc-public-key-reference-type=NONE
    saml2-encryption-algorithm-strength=0
    oidc-signature-algorithm=RS256
    supported-token-transforms=OPENIDCONNECT|OPENIDCONNECT|true
    supported-token-transforms=X509|OPENIDCONNECT|true
    supported-token-transforms=OPENAM|OPENIDCONNECT|false
    supported-token-transforms=USERNAME|OPENIDCONNECT|true
    saml2-encrypt-nameid=false
    issuer-name=amAdmin
    deployment-url-element=sts
    oidc-issuer=https://myurl/AM/oauth2/05
    deployment-auth-target-mappings=X509|module|cert_module|x509_token_auth_target_header_key=client_cert
    deployment-auth-target-mappings=USERNAME|service|ldapService
    deployment-auth-target-mappings=OPENIDCONNECT|module|oidc|oidc_id_token_auth_target_header_key=oidc_id_token
    oidc-audience=ninja_audience

    Edit : I tried to set to true all the parameter in the Identities / Groups / All authenticated Identities
    Same result

    A small hint i had, was maybe this HTTP does not use the proxy i set, but if so, why the 401
    If anyone had a hint to help me.
    I can show some more specific log / configuration, if needed (i didn’t put all the JAVA error, it was quite verbose)

    Thanks

    PS : my first post was deleted, maybe by a bot because i did too much editing, if it was done manually, please send me a message

    Amaury

    • This topic was modified 3 years, 6 months ago by triton_oidc.
Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?