Thursday, September 11, 2014

OpenAM OAuth2 Provider - Request not valid, perhaps a permission problem

I have a customer that requires OAuth2 Provider to be configured on their existing OpenAM SSO infrastructure.

So, as usual, I do not like to over-promise by just answering customers' questions based on technical write-ups. I went ahead to set up 2 OpenAM servers - 1 acting as OAuth2 Provider; 1 acting as OAuth2 Client.

Of course, any OAuth2 Client will do. It does not have to be OpenAM server acting as a OAuth2 Client. Ok, I'm just lazy. :)

There is a documentation from ForgeRock on Configuring OpenAM as Authorization Server & Client. Be warned: Do read carefully; Do not skip any step.

So, basically, the 1st step is to Set Up the OAuth 2.0 Authorization Service as illustrated in Configuring the OAuth 2.0 Authorization Service.

Simple task. In fact, very simple task!

BUT ... this is where I encountered issue. After I clicked OK and finished the remaining configuration, I hit the error "Request not valid, perhaps a permission problem" when I started testing.

Enabled debug logs but not too many hints.

After many rounds of debugging, I read the documentation again.

In addition to setting up an OAuth 2.0 authorization server for the realm, OpenAM sets up a policy to protect the authorization endpoint. The policy appears in the list of policies for the realm. Its name is OAuth2ProviderPolicy. 

To make the change, browse to Access Control > Realm Name > Services > OAuth2 Provider, add the profile attributes to the list titled User Profile Attribute(s) the Resource Owner is Authenticated On.

I checked with OpenAM Admin console. I did not see a service by the name of "OAuth2 Provider". Neither did I see a policy by the name of "OAuth2ProviderPolicy".

Very strange indeed. No choice, I clicked on "Configure OAuth2" again to make the default realm to act as an authorization server.

This time round, bingo! OpenAM OAuth2 Provider works like a charm.

The OAuth2 Provider service appeared!

The OAuth2ProviderPolicy policy also appeared!

When I tested again, the following authorization page also appeared:

Maybe my VM was slow the first time I tried to configure OAuth2 authorization service. I'm not too sure! But I'll definitely add the above into my verification steps the next time I configure OAuth2 authorization service again!


1 comment:

  1. Hi azlabs,

    In case I would like to change IDP (Protected Resource) into ADFS (not OpenAM IDP), do you have any suggestion for me?

    Thank you.