• State Suggested Answer
  • Replies 27 replies
  • Answers 1 answer
  • Subscribers 97 subscribers
  • Views 16377 views
  • Users 0 members are here
Options
Related

Authentication failed with OpenID connect

pprathapgirija
over 4 years ago

Hello All, 

We have integrated One Identity Manger with Forgerock AM . Once we enter the URL of the Web portal it redirects back to AM for authentication, after authentication it redirect back to the portal with the below error

The authentication process could not be completed. Contact your system administrator if the problem persists.

Failed to authenticate user.

Cannot find the requested object.

 

Got the below error message in the job queue

Login failed (Module: OAuth 2.0 / OpenID Connect (role based), Properties: , Identity: -, Client Machine: 10.11.46.133, Errors: [System.Security.Cryptography.CryptographicException] Cannot find the requested object.

 If anybody have any idea, please let us know.

Thanks,

Pranav

Parents
  • 0 over 4 years ago in reply to Troy Grandy

    I found the below information in web portal logs

    2020-09-21 15:24:32.0741 ERROR ( ObjectLog) : Failed to authenticate user using OAuth2/Open ID Connect. System.Security.Cryptography.CryptographicException: Cannot find the requested object.at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)

    at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertFileType(String fileName)
    at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
    at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName)
    at QER.OAuthAuthentifier.OAuth.<_GetSigningCertificatesFromServerAsync>d__17.MoveNext()

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    We imported the cert to the personal keystore , now we are getting  a new error

    Invalid access token.
    IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]',
    token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.
  • 0 over 4 years ago in reply to pprathapgirija

    There is a new configuration parameter that was newly introduced in v8.1.3 which allows you to control the setting of the flag ShowPII.

    The configuration parameter is "QBM\DebugMode\OAuth2\LogPersonalInfoOnException" By enabling this parameter, it allows support of troubleshooting in OAuth 2.0/OpenID Connect authentication where you can log personal login data, such as information about tokens or issuers. The log is written to the object log file (<appName>_object.log) of the respective One Identity Manager component.

    Please find this mentioned in our documentation :

    - Release notes:
    https://support.oneidentity.com/technical-documents/identity-manager/8.1.3/release-notes#TOPIC-1474354

    - Authorization and Authentication guide:
    https://support.oneidentity.com/technical-documents/identity-manager/8.1.3/authorization-and-authentication-guide/27#TOPIC-1480602


  • 0 over 4 years ago in reply to Markus Weiss-Ehlers
    This below is the latest error
    Failed to authenticate user using OAuth2/Open ID Connect. System.FormatException: Input string was not in a correct format.
       at System.Text.StringBuilder.FormatError()
       at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider provider, String format, ParamsArray args)
       at System.String.FormatHelper(IFormatProvider provider, String format, ParamsArray args)
       at System.String.Format(IFormatProvider provider, String format, Object[] args)
       at Microsoft.IdentityModel.Logging.IdentityModelEventSource.PrepareMessage(EventLevel level, String message, Object[] args)
  • 0 over 4 years ago in reply to pprathapgirija

    And what did you change? Just seeing the error is not really helpful.

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    we enabled the configuration parameter  "QBM\DebugMode\OAuth2\LogPersonalInfoOnException

     

    : Failed to authenticate user using OAuth2/Open ID Connect. System.FormatException: Input string was not in a correct format.
       at System.Text.StringBuilder.FormatError()
       at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider provider, String format, ParamsArray args)
       at System.String.FormatHelper(IFormatProvider provider, String format, ParamsArray args)
       at System.String.Format(IFormatProvider provider, String format, Object[] args)
       at Microsoft.IdentityModel.Logging.IdentityModelEventSource.PrepareMessage(EventLevel level, String message, Object[] args)
       at Microsoft.IdentityModel.Logging.IdentityModelEventSource.WriteError(String message)
       at Microsoft.IdentityModel.Logging.IdentityModelEventSource.WriteError(String message, Object[] args)
       at Microsoft.IdentityModel.Logging.LogHelper.LogExceptionMessage(EventLevel eventLevel, Exception exception)
       at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
       at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
       at QER.OAuthAuthentifier.OAuth._ValidateToken(String token, String issuerName, String clientId, String nonce, Boolean openid, IEnumerable`1 signingKeys, Boolean showPiiInLog)
       at QER.OAuthAuthentifier.OAuth.<GetClaimsAsync>d__25.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  • 0 over 4 years ago in reply to pprathapgirija

    I quote myself here:

    Markus Weiss-Ehlers said:
    Without seeing the complete configuration, it is hard to guess what exactly is going wrong so I suggest contacting support to be able to share these confidential configuration items.

    So, either you are able to share your settings, especially the ones regarding the signing certificate, or you contact support.

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    Thanks Markus, Contacted the support team and waiting for there response, Can you please tell us if OIM  support the HS256 algorithm to validate an OpenID Connect ID token

  • 0 over 4 years ago in reply to pprathapgirija

    HS256 should be supported as far as I know.

  • 0 over 4 years ago in reply to pprathapgirija

    Hello , The login issue has been resolved, Thank you for all your suuport

    the config param is set to off

    QBM\DebugMode\OAuth2\LogPersonalInfoOnException

    and we removed all the references of certificates since we are using the JSON end points

    Suuport team provided the below information

    if you want to use JSON end points, then values for tab certificate (certificate endpoint, certificate subject, thumbprint) and tab application (certificate endpoint, certificate subject, thumbprint) have to be cleared.

    But now we are getting the below error while log out any ideas

    {"error_description":"The endSession endpoint requires an id_token_hint parameter","error":"bad_request"}
    URL is .../connect/endSession?client_id=xxxxxxxxxxxxxx
Reply
  • 0 over 4 years ago in reply to pprathapgirija

    Hello , The login issue has been resolved, Thank you for all your suuport

    the config param is set to off

    QBM\DebugMode\OAuth2\LogPersonalInfoOnException

    and we removed all the references of certificates since we are using the JSON end points

    Suuport team provided the below information

    if you want to use JSON end points, then values for tab certificate (certificate endpoint, certificate subject, thumbprint) and tab application (certificate endpoint, certificate subject, thumbprint) have to be cleared.

    But now we are getting the below error while log out any ideas

    {"error_description":"The endSession endpoint requires an id_token_hint parameter","error":"bad_request"}
    URL is .../connect/endSession?client_id=xxxxxxxxxxxxxx
Children