OAuth2 Provider - ERROR: The authorization server can not authorize the resource owner

I helped to configure a basic OAuth2 Provider for a customer in their SSO infrastructure. In fact, I configured in 2 environment for the same customer. The first was configured months ago and worked like a charm. The second one was recently configured and we encountered errors during integration test with a OAuth2 Client.

During the integration testing, we were very sure the users key in the user name and password correctly. But right after successful user authentication, we always got the error - "ERROR: The authorization server can not authorize the resource owner".


Why? Pretty hard to guess. So I switched the OpenAM debug log level from ERROR to MESSAGE.


Wow! The logs were many and each was huge and hard to debug. So I changed strategy. Besides setting the debug level to MESSAGE, I also ensured that the Merge Debug Files was switched to On.

Much better this time as the log was sequential and was telling a good story of what exactly happened that led to the error.

In OpenAM debug log, the following was shown right above the error message:
Entitlement:04/21/2015 12:14:57:224 PM SGT: Thread[ajp-apr-2443-exec-3,5,main]
[PolicyEval] PolicyEvaluator.evaluate
Entitlement:04/21/2015 12:14:57:224 PM SGT: Thread[ajp-apr-2443-exec-3,5,main]
[PolicyEval] search result: privilege=OAuth2ProviderPolicy
Entitlement:04/21/2015 12:14:57:224 PM SGT: Thread[ajp-apr-2443-exec-3,5,main]
[PolicyEval] Privilege.doesSubjectMatch: falseEntitlement:04/21/2015 12:14:57:224 PM SGT: Thread[ajp-apr-2443-exec-3,5,main]
[PolicyEval] Advices: {}

The PolicyEval happened right before the error message - "ERROR: The authorization server can not authorize the resource owner" was thrown.

Somehow, the Subjects "OAuth2ProviderSubject" in OAuth2ProviderPolicy policy was missing. After adding it back, the error was gone.


.