Problem configuring OpenAM 11 for OpenID Connect

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problem configuring OpenAM 11 for OpenID Connect

BAUCHE, VALERIE
Hello
 
I tried configuring a first simple OpenAM (11.0.0) for testing purpose with OpenID connect :
Configure an OAuth provider with default settings
Configure an OAuth client
Everything works fine and I’m able to test with the OpenID Connect Implicit mode
 
Then, I set the same configuration on a “production” server, still with openam 11. The main difference with the testing one is the use of HTTPS and a site configuration with a load balancer.
For this one, impossible to make the OpenIDConnect working… I always get the error message : ERROR: The authorization server can not authorize the resource owner.
Nothing else in log files even with debug
 
Is there any configuration to add for the HTTPS/Site configuration ?
 
Valérie
 
 
 

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem configuring OpenAM 11 for OpenID Connect

Peter Major
OpenAM 11 only supports a draft version of the OIDC spec, you should use
OpenAM 12+ for OIDC.

cheers,
Peter

2016. 07. 29. 13:44 keltezéssel, BAUCHE, VALERIE írta:

> Hello
>
> I tried configuring a first simple OpenAM (11.0.0) for testing purpose
> with OpenID connect :
> Configure an OAuth provider with default settings
> Configure an OAuth client
> Everything works fine and I’m able to test with the OpenID Connect
> Implicit mode
>
> Then, I set the same configuration on a “production” server, still with
> openam 11. The main difference with the testing one is the use of HTTPS
> and a site configuration with a load balancer.
> For this one, impossible to make the OpenIDConnect working… I always get
> the error message : ERROR: The authorization server can not authorize
> the resource owner.
> Nothing else in log files even with debug
>
> Is there any configuration to add for the HTTPS/Site configuration ?
>
> Valérie
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem configuring OpenAM 11 for OpenID Connect

Andy Cory-2
In reply to this post by BAUCHE, VALERIE

Hi Valérie

 

As Peter says, OIDC in v11 is a bit hit and miss since the spec wasn’t ratified at the time. If (like we were on one project) you are stuck with v11 for now, then I think it’s possible to get things to work – at least we managed to on that project with help from ForgeRock.

 

Look at the following JIRA records:

·         https://bugster.forgerock.org/jira/browse/OPENAM-9120 - this one causes problems if OpenAM is behind a load balancer and there is no route from the instances back to the LB

·         https://bugster.forgerock.org/jira/browse/OPENAM-3705 - outlines why HTTP may work but not HTTPS

·         https://bugster.forgerock.org/jira/browse/OPENAM-3566 - also describes a problem with OIDC over HTTPS

 

I suspect that the last one especially is quite likely to be causing you issues.

 

--

Andy Cory

IAM Lead Consultant

07738 545373

 

From: <[hidden email]> on behalf of "BAUCHE, VALERIE" <[hidden email]>
Reply-To: Users <[hidden email]>
Date: Friday, 29 July 2016 at 13:44
To: Users <[hidden email]>
Subject: [OpenAM] Problem configuring OpenAM 11 for OpenID Connect

 

Hello

 

I tried configuring a first simple OpenAM (11.0.0) for testing purpose with OpenID connect :

Configure an OAuth provider with default settings

Configure an OAuth client

Everything works fine and I’m able to test with the OpenID Connect Implicit mode

 

Then, I set the same configuration on a “production” server, still with openam 11. The main difference with the testing one is the use of HTTPS and a site configuration with a load balancer.

For this one, impossible to make the OpenIDConnect working… I always get the error message : ERROR: The authorization server can not authorize the resource owner.

Nothing else in log files even with debug

 

Is there any configuration to add for the HTTPS/Site configuration ?

 

Valérie

 

 

 





This email has been scanned for all viruses.

Please consider the environment before printing this email.

The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound.

KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE.


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem configuring OpenAM 11 for OpenID Connect

Peter Major
The problem is more around dealing with JWTs I'd say:
* only Hmac signatures are supported in 11
* the Hmac signing key must equal to the OAuth2 client password, but the
JWT signature algorithms in 11 don't really allow you to do that IIRC

AFAIK id_tokens issued by 11 are not possible to verify by (now) spec
compliant OIDC clients.

If you want OIDC support then 12 could be a good start, but 13 was the
first release that got certified:
http://openid.net/certification/

cheers,
Peter

2016. 08. 03. 14:42 keltezéssel, Andy Cory írta:

> Hi Valérie
>
>
>
> As Peter says, OIDC in v11 is a bit hit and miss since the spec wasn’t
> ratified at the time. If (like we were on one project) you are stuck
> with v11 for now, then I think it’s possible to get things to work – at
> least we managed to on that project with help from ForgeRock.
>
>
>
> Look at the following JIRA records:
>
> ·         https://bugster.forgerock.org/jira/browse/OPENAM-9120 - this
> one causes problems if OpenAM is behind a load balancer and there is no
> route from the instances back to the LB
>
> ·         https://bugster.forgerock.org/jira/browse/OPENAM-3705 -
> outlines why HTTP may work but not HTTPS
>
> ·         https://bugster.forgerock.org/jira/browse/OPENAM-3566 - also
> describes a problem with OIDC over HTTPS
>
>
>
> I suspect that the last one especially is quite likely to be causing you
> issues.
>
>
>
> --
>
> *Andy Cory*
>
> IAM Lead Consultant
>
> 07738 545373
>
>
>
> *From: *<[hidden email]> on behalf of "BAUCHE, VALERIE"
> <[hidden email]>
> *Reply-To: *Users <[hidden email]>
> *Date: *Friday, 29 July 2016 at 13:44
> *To: *Users <[hidden email]>
> *Subject: *[OpenAM] Problem configuring OpenAM 11 for OpenID Connect
>
>
>
> Hello
>
>
>
> I tried configuring a first simple OpenAM (11.0.0) for testing purpose
> with OpenID connect :
>
> Configure an OAuth provider with default settings
>
> Configure an OAuth client
>
> Everything works fine and I’m able to test with the OpenID Connect
> Implicit mode
>
>
>
> Then, I set the same configuration on a “production” server, still with
> openam 11. The main difference with the testing one is the use of HTTPS
> and a site configuration with a load balancer.
>
> For this one, impossible to make the OpenIDConnect working… I always get
> the error message : ERROR: The authorization server can not authorize
> the resource owner.
>
> Nothing else in log files even with debug
>
>
>
> Is there any configuration to add for the HTTPS/Site configuration ?
>
>
>
> Valérie
>
>
>
>
>
>
>
>
>
>
>
> This email has been scanned for all viruses.
>
> Please consider the environment before printing this email.
>
> The content of this email and any attachment is private and may be
> privileged. If you are not the intended recipient, any use, disclosure,
> copying or forwarding of this email and/or its attachments is
> unauthorised. If you have received this email in error please notify the
> sender by email and delete this message and any attachments immediately.
> Nothing in this email shall bind the Company or any of its subsidiaries
> or businesses in any contract or obligation, unless we have specifically
> agreed to be bound.
>
> KCOM Group PLC is a public limited company incorporated in England and
> Wales, company number 02150618 and whose registered office is at 37 Carr
> Lane, Hull, HU1 3RE.
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem configuring OpenAM 11 for OpenID Connect

BAUCHE, VALERIE
In reply to this post by Andy Cory-2
Thanks for your answer, I'm currently working with Forgerock support for this problem because my client is running OpenAM 11 and wont upgrade until 2017.
The first problem was the policy OAuth2ProviderPolicy was missing. After adding it I have another problem with message "internal server error". Still working on it with the support.

Valérie Bauche

De : [hidden email] [[hidden email]] de la part de Andy Cory [[hidden email]]
Envoyé : mercredi 3 août 2016 15:42
À : Users
Objet : Re: [OpenAM] Problem configuring OpenAM 11 for OpenID Connect

Hi Valérie

 

As Peter says, OIDC in v11 is a bit hit and miss since the spec wasn’t ratified at the time. If (like we were on one project) you are stuck with v11 for now, then I think it’s possible to get things to work – at least we managed to on that project with help from ForgeRock.

 

Look at the following JIRA records:

·         https://bugster.forgerock.org/jira/browse/OPENAM-9120 - this one causes problems if OpenAM is behind a load balancer and there is no route from the instances back to the LB

·         https://bugster.forgerock.org/jira/browse/OPENAM-3705 - outlines why HTTP may work but not HTTPS

·         https://bugster.forgerock.org/jira/browse/OPENAM-3566 - also describes a problem with OIDC over HTTPS

 

I suspect that the last one especially is quite likely to be causing you issues.

 

--

Andy Cory

IAM Lead Consultant

07738 545373

 

From: <[hidden email]> on behalf of "BAUCHE, VALERIE" <[hidden email]>
Reply-To: Users <[hidden email]>
Date: Friday, 29 July 2016 at 13:44
To: Users <[hidden email]>
Subject: [OpenAM] Problem configuring OpenAM 11 for OpenID Connect

 

Hello

 

I tried configuring a first simple OpenAM (11.0.0) for testing purpose with OpenID connect :

Configure an OAuth provider with default settings

Configure an OAuth client

Everything works fine and I’m able to test with the OpenID Connect Implicit mode

 

Then, I set the same configuration on a “production” server, still with openam 11. The main difference with the testing one is the use of HTTPS and a site configuration with a load balancer.

For this one, impossible to make the OpenIDConnect working… I always get the error message : ERROR: The authorization server can not authorize the resource owner.

Nothing else in log files even with debug

 

Is there any configuration to add for the HTTPS/Site configuration ?

 

Valérie

 

 

 





This email has been scanned for all viruses.

Please consider the environment before printing this email.

The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound.

KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE.


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem configuring OpenAM 11 for OpenID Connect

Andy Cory-2
In reply to this post by Peter Major
Thanks Peter, that’s interesting. In the project I mentioned we didn’t hit any problems with JWTs, but I suspect this would largely be down to the fact that the (only) client was an in-house app and itself wasn’t compliant, and/or was able to be flexible in consuming tokens. The problems with SSL, especially OPENAM-3566, was our major headache.

Andy

On 03/08/2016, 15:02, "[hidden email] on behalf of Peter Major" <[hidden email] on behalf of [hidden email]> wrote:

    The problem is more around dealing with JWTs I'd say:
    * only Hmac signatures are supported in 11
    * the Hmac signing key must equal to the OAuth2 client password, but the
    JWT signature algorithms in 11 don't really allow you to do that IIRC

    AFAIK id_tokens issued by 11 are not possible to verify by (now) spec
    compliant OIDC clients.

    If you want OIDC support then 12 could be a good start, but 13 was the
    first release that got certified:
    http://openid.net/certification/

    cheers,
    Peter

    2016. 08. 03. 14:42 keltezéssel, Andy Cory írta:
    > Hi Valérie
    >
    >
    >
    > As Peter says, OIDC in v11 is a bit hit and miss since the spec wasn’t
    > ratified at the time. If (like we were on one project) you are stuck
    > with v11 for now, then I think it’s possible to get things to work – at
    > least we managed to on that project with help from ForgeRock.
    >
    >
    >
    > Look at the following JIRA records:
    >
    > ·         https://bugster.forgerock.org/jira/browse/OPENAM-9120 - this
    > one causes problems if OpenAM is behind a load balancer and there is no
    > route from the instances back to the LB
    >
    > ·         https://bugster.forgerock.org/jira/browse/OPENAM-3705 -
    > outlines why HTTP may work but not HTTPS
    >
    > ·         https://bugster.forgerock.org/jira/browse/OPENAM-3566 - also
    > describes a problem with OIDC over HTTPS
    >
    >
    >
    > I suspect that the last one especially is quite likely to be causing you
    > issues.
    >
    >
    >
    > --
    >
    > *Andy Cory*
    >
    > IAM Lead Consultant
    >
    > 07738 545373
    >
    >
    >
    > *From: *<[hidden email]> on behalf of "BAUCHE, VALERIE"
    > <[hidden email]>
    > *Reply-To: *Users <[hidden email]>
    > *Date: *Friday, 29 July 2016 at 13:44
    > *To: *Users <[hidden email]>
    > *Subject: *[OpenAM] Problem configuring OpenAM 11 for OpenID Connect
    >
    >
    >
    > Hello
    >
    >
    >
    > I tried configuring a first simple OpenAM (11.0.0) for testing purpose
    > with OpenID connect :
    >
    > Configure an OAuth provider with default settings
    >
    > Configure an OAuth client
    >
    > Everything works fine and I’m able to test with the OpenID Connect
    > Implicit mode
    >
    >
    >
    > Then, I set the same configuration on a “production” server, still with
    > openam 11. The main difference with the testing one is the use of HTTPS
    > and a site configuration with a load balancer.
    >
    > For this one, impossible to make the OpenIDConnect working… I always get
    > the error message : ERROR: The authorization server can not authorize
    > the resource owner.
    >
    > Nothing else in log files even with debug
    >
    >
    >
    > Is there any configuration to add for the HTTPS/Site configuration ?
    >
    >
    >
    > Valérie
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > This email has been scanned for all viruses.
    >
    > Please consider the environment before printing this email.
    >
    > The content of this email and any attachment is private and may be
    > privileged. If you are not the intended recipient, any use, disclosure,
    > copying or forwarding of this email and/or its attachments is
    > unauthorised. If you have received this email in error please notify the
    > sender by email and delete this message and any attachments immediately.
    > Nothing in this email shall bind the Company or any of its subsidiaries
    > or businesses in any contract or obligation, unless we have specifically
    > agreed to be bound.
    >
    > KCOM Group PLC is a public limited company incorporated in England and
    > Wales, company number 02150618 and whose registered office is at 37 Carr
    > Lane, Hull, HU1 3RE.
    >
    >
    >
    > _______________________________________________
    > Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
    > OpenAM mailing list
    > [hidden email]
    > https://lists.forgerock.org/mailman/listinfo/openam
    >
    _______________________________________________
    Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
    OpenAM mailing list
    [hidden email]
    https://lists.forgerock.org/mailman/listinfo/openam






This email has been scanned for all viruses.

Please consider the environment before printing this email.

The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound.

KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...