Problem saving oauth2 consent

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem saving oauth2 consent

BAUCHE, VALERIE
Hi,
 
I’m testing openId Connect with the provided openid client. Authorization is wotking except for saving the consent.
I use the “description” attribute to store the consent (configured in OAuth2Provider - Saved Consent Attribute Name)
But I always get the following error message :
 
OAuth2Provider:03/15/2016 10:48:56:159 AM CET: Thread[http-bio-8080-exec-5,5,main]
ERROR: Unable to save consent
Message:Arguments illégaux : au moins l’un des arguments requis est null ou absent.
 
        at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.newIdRepoException(DJLDAPv3Repo.java:2474)
        at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:959)
at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:834)
        at com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1720)
        at com.sun.identity.idm.server.IdCachedServicesImpl.setAttributes(IdCachedServicesImpl.java:525)
        at com.sun.identity.idm.AMIdentity.store(AMIdentity.java:535)
        at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.saveConsent(OpenAMOAuth2ProviderSettings.java:466)
 
 
Valérie
 
 
 

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Problem saving oauth2 consent

Robert Morschel

Hey,

 

I had this problem, and got the following guidance from ForgeRock’s Andrew Potter:

 

So in order to use ‘description’ you need to tell OpenAM about that attribute  (‘Description’ is already defined as an available attribute in OpenDJ as part of the inetOrgPerson LDAP class so adding that attribute definition to the data store is not needed).

To do this, you need to go to the data store configuration in the relevant realm (i.e. the Data Stores tab - select the configured DataStore)

Then in the ‘User Configuration’ section in the ‘LDAP User Attributes’ list add ‘description’ and save the change.  (OpenAM already knows about the inetOrgPerson LDAP class that includes the description attribute definition).

 

You should now see the consent being persisted in the description attribute of the user in OpenDJ, and won’t be prompted again by OpenAM.

 

 

Hope this helps you.

 

Regards,

Robert

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of BAUCHE, VALERIE
Sent: 15 March 2016 10:06
To: Users <[hidden email]>
Subject: [OpenAM] Problem saving oauth2 consent

 

Hi,

 

I’m testing openId Connect with the provided openid client. Authorization is wotking except for saving the consent.

I use the “description” attribute to store the consent (configured in OAuth2Provider - Saved Consent Attribute Name)

But I always get the following error message :

 

OAuth2Provider:03/15/2016 10:48:56:159 AM CET: Thread[http-bio-8080-exec-5,5,main]

ERROR: Unable to save consent

Message:Arguments illégaux : au moins l’un des arguments requis est null ou absent.

 

        at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.newIdRepoException(DJLDAPv3Repo.java:2474)

        at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:959)

at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:834)

        at com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1720)

        at com.sun.identity.idm.server.IdCachedServicesImpl.setAttributes(IdCachedServicesImpl.java:525)

        at com.sun.identity.idm.AMIdentity.store(AMIdentity.java:535)

        at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.saveConsent(OpenAMOAuth2ProviderSettings.java:466)

 

 

Valérie

 

 

 

The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Problem saving oauth2 consent

Peter Major
In reply to this post by BAUCHE, VALERIE
Add the attribute name to the LDAP User Attributes setting of the Data
Store.

2016. 03. 15. 11:05 keltezéssel, BAUCHE, VALERIE írta:

> Hi,
> I’m testing openId Connect with the provided openid client.
> Authorization is wotking except for saving the consent.
> I use the “description” attribute to store the consent (configured in
> OAuth2Provider - Saved Consent Attribute Name)
> But I always get the following error message :
> OAuth2Provider:03/15/2016 10:48:56:159 AM CET:
> Thread[http-bio-8080-exec-5,5,main]
> ERROR: Unable to save consent
> Message:Arguments illégaux : au moins l’un des arguments requis est null
> ou absent.
>          at
> org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.newIdRepoException(DJLDAPv3Repo.java:2474)
>          at
> org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:959)
> at
> org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:834)
>          at
> com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1720)
>          at
> com.sun.identity.idm.server.IdCachedServicesImpl.setAttributes(IdCachedServicesImpl.java:525)
>          at com.sun.identity.idm.AMIdentity.store(AMIdentity.java:535)
>          at
> org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.saveConsent(OpenAMOAuth2ProviderSettings.java:466)
> Valérie
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Problem saving oauth2 consent

BAUCHE, VALERIE
Thanks ! I forgot this simple configuration, it's working now !

Another question about consent : given the OpeniD Connect specifications, is there any way to completely avoid the consent ?
For example if I only want to get an access token containing the user email address (the user authenticated with it) and I don't need any profile information.


Valérie

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Peter Major
Sent: Tuesday, March 15, 2016 11:20 AM
To: Users
Subject: Re: [OpenAM] Problem saving oauth2 consent

Add the attribute name to the LDAP User Attributes setting of the Data Store.

2016. 03. 15. 11:05 keltezéssel, BAUCHE, VALERIE írta:

> Hi,
> I'm testing openId Connect with the provided openid client.
> Authorization is wotking except for saving the consent.
> I use the "description" attribute to store the consent (configured in
> OAuth2Provider - Saved Consent Attribute Name) But I always get the
> following error message :
> OAuth2Provider:03/15/2016 10:48:56:159 AM CET:
> Thread[http-bio-8080-exec-5,5,main]
> ERROR: Unable to save consent
> Message:Arguments illégaux : au moins l'un des arguments requis est
> null ou absent.
>          at
> org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.newIdRepoException(DJLDAPv3Repo.java:2474)
>          at
> org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Re
> po.java:959)
> at
> org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:834)
>          at
> com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1720)
>          at
> com.sun.identity.idm.server.IdCachedServicesImpl.setAttributes(IdCachedServicesImpl.java:525)
>          at com.sun.identity.idm.AMIdentity.store(AMIdentity.java:535)
>          at
> org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.saveConsent(O
> penAMOAuth2ProviderSettings.java:466)
> Valérie
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Problem saving oauth2 consent

Bernhard Thalmayr
Am 15/03/16 um 11:43 schrieb BAUCHE, VALERIE:
> Thanks ! I forgot this simple configuration, it's working now !
>
> Another question about consent : given the OpeniD Connect specifications, is there any way to completely avoid the consent ?
> For example if I only want to get an access token containing the user email address (the user authenticated with it) and I don't need any profile information.

https://bugster.forgerock.org/jira/browse/OPENAM-5093

A workaround would be to pre-populate the 'consent saving' attribute as
I explained in
http://stackoverflow.com/questions/35747332/how-to-implement-user-auto-approval-with-forgerock-openam-and-oauth2/35850303?noredirect=1#comment59434124_35850303

-Bernhard




>
>
> Valérie
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Peter Major
> Sent: Tuesday, March 15, 2016 11:20 AM
> To: Users
> Subject: Re: [OpenAM] Problem saving oauth2 consent
>
> Add the attribute name to the LDAP User Attributes setting of the Data Store.
>
> 2016. 03. 15. 11:05 keltezéssel, BAUCHE, VALERIE írta:
>> Hi,
>> I'm testing openId Connect with the provided openid client.
>> Authorization is wotking except for saving the consent.
>> I use the "description" attribute to store the consent (configured in
>> OAuth2Provider - Saved Consent Attribute Name) But I always get the
>> following error message :
>> OAuth2Provider:03/15/2016 10:48:56:159 AM CET:
>> Thread[http-bio-8080-exec-5,5,main]
>> ERROR: Unable to save consent
>> Message:Arguments illégaux : au moins l'un des arguments requis est
>> null ou absent.
>>          at
>> org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.newIdRepoException(DJLDAPv3Repo.java:2474)
>>          at
>> org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Re
>> po.java:959)
>> at
>> org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.setAttributes(DJLDAPv3Repo.java:834)
>>          at
>> com.sun.identity.idm.server.IdServicesImpl.setAttributes(IdServicesImpl.java:1720)
>>          at
>> com.sun.identity.idm.server.IdCachedServicesImpl.setAttributes(IdCachedServicesImpl.java:525)
>>          at com.sun.identity.idm.AMIdentity.store(AMIdentity.java:535)
>>          at
>> org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.saveConsent(O
>> penAMOAuth2ProviderSettings.java:466)
>> Valérie
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam