OAuth - Value cannot be null or empty. Parameter name: code

What version of OneIM are you using?

Are we talking about the REST API hosted via the AppServer?

Are we talking about the REST API hosted via the AppServer? -> Yes Markus and the version we are doing the current setup is Version 8.1.5 and planning to move to 9.0 LTS soon.

Did you check my explanations in this thread?  How to use OAuth 2.0 with Application Server via RESTful API
With 9.0/9.1 you will also have another authentication module if you need to use access tokens directly https://support.oneidentity.com/technical-documents/identity-manager/9.1/authorization-and-authentication-guide/30#TOPIC-1872885

Thanks Markus. I am going through the blogpost but I didn't find any technical document related to RSTS at the path mentioned \Modules\QBM\install\bin\DellRSTS.chM. I have already checked in Version 8.0.2, 8.1.5 and even the 9.0. Would it be possible for you to share online link or similar reference for the same.

I did not mean the RSTS part of the thread but the explanation of the parameters needed for the OAuth authentication module. But nevertheless, you will find the  API documentation here <product delivery>\Modules\QBM\dvd\AddOn\Redistributable STS\ApiDoc.zip

Thank You Markus for the reference. Let me work this out.

Hi Markus, 

I have referred the RSTS documentation and referring the same able to generate Authorization Code to pass in the body of OAuth Authentication Module of OneIM via PostMan tool i.e.

"authTemplate": "Module=OAuth;(OAuth2Code)Code;(Hidden)AppUrl;(Hidden)ClientId;(Hidden)Nonce;(Hidden)RedirectUri",

But receiving this error when tried via PostMan while making POST call for BaseURL/auth/apphost URI

Failed to authenticate user using OAuth2/Open ID Connect. VI.Base.ViException: Invalid access token. ---> Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10504: Unable to validate signature, token does not have a signature: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.

Also for your information, we have only Windows Authentication enabled at IIS end for the AppServer instance, that's why in the authorization of PostMan Tool I am using NLTM Authentication(Beta) and passing the credentials for Windows user with which the Application Pool is configured and in the request body passing the OAuth module for auth/apphost URI POST call.

is this the correct approach and if you could suggest or give some guidance on the error, that would be really helpful.

Hi Markus, 

I have referred the RSTS documentation and referring the same able to generate Authorization Code to pass in the body of OAuth Authentication Module of OneIM via PostMan tool i.e.

"authTemplate": "Module=OAuth;(OAuth2Code)Code;(Hidden)AppUrl;(Hidden)ClientId;(Hidden)Nonce;(Hidden)RedirectUri",

But receiving this error when tried via PostMan while making POST call for BaseURL/auth/apphost URI

Failed to authenticate user using OAuth2/Open ID Connect. VI.Base.ViException: Invalid access token. ---> Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10504: Unable to validate signature, token does not have a signature: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.

Also for your information, we have only Windows Authentication enabled at IIS end for the AppServer instance, that's why in the authorization of PostMan Tool I am using NLTM Authentication(Beta) and passing the credentials for Windows user with which the Application Pool is configured and in the request body passing the OAuth module for auth/apphost URI POST call.

is this the correct approach and if you could suggest or give some guidance on the error, that would be really helpful.

In regards to token error, what is the IDP configured in One Identity Manager for the Application Server?

If the access token is not signed correctly, you cannot prevent the validation of the token in version 8.1.5. You need at least 8.2 for it. You can then set the flag "No ID token check" at the Identity Provider in OneIM.

Thanks Markus for reverting. We have configured MS Azure IDP i.e. <https://login.microsoftonline.com/<tenant ID>/.well-known/openid-configuration for the application server.

Hi Markus,

Also, in addition to this I am trying to use Token Module in Version 9.0 LTS, which we are currently upgrading to and its in progress in our non-production environments, but while trying to validate that via PostMan receiving 

Auth String Passed in Body of for auth/apphost in Version 9.0 LTS via PostMan

{"authString":"Module=Token;Url=Hidden;ClientId=Hidden;ClientSecret=Hidden;TokenEndpoint=Hidden"}

Error in IIS Logs

2023-05-10 15:45:04.6576 ERROR (ObjectLog Global) : [810069] Error loading authentication module Token.
[810070] The authentication module is not available or not activated.
VI.Base.ViException: Error loading authentication module Token. ---> VI.Base.ViException: The authentication module is not available or not activated.
at VI.DB.Auth.DbAuthenticator.<_GetModuleAsync>d__13.MoveNext()
--- End of inner exception stack trace ---

I have enabled authentication modules and configuration parameters as mentioned in Tech documents mentioned below

https://support.oneidentity.com/de-de/technical-documents/identity-manager/9.1/authorization-and-authentication-guide/30#TOPIC-1872886

https://support.oneidentity.com/de-de/technical-documents/identity-manager/9.1/authorization-and-authentication-guide/29#TOPIC-1872884

Could you provide some reference over here if anything additional to be done.

If you want to use the token based auth, you do not need to pass the auth string or call the auth/apphost URL. This might be misleading.

You just pass your access token as bearer token in the header.

When I tried passing the bearer token header I am still getting 

2023-05-11 13:24:08.9765 DEBUG (AppServer v2wZ9SO7H5ye8ThinEsg) : Executing request: /auth/apphost
2023-05-11 13:24:08.9765 ERROR (ObjectLog Global) : [ServiceStack.HttpError] Invalid authentication data.
ServiceStack.HttpError: Invalid authentication data.

Also as you mention with token based auth, we don't need to call auth/apphost URL. so without calling auth/apphost URL, how will we authenticate ? What I understood from the documentation that in order to use RestAPI, we have to first  authenticate against the application server by calling auth/apphost with required module.

For instance, when I used the dialoguser based auth module, I can successfully connect validate and make API calls via PostMan.

If you configure the AppServer to use the token-based authentication, you do not need to call the auth/apphost URL. You instead provide the access token as a bearer token in the header of your call. This is meant for machine-to-machine usage.

You have to keep in mind, that in this case OneIM converts the access token to an authenticated identity by taking a claim from the access token and using that to lookup a Person object as described in the authentication documentation for the OAuth authentication modules.

If you use the other OAuth authentication modules, you need to call the auth/apphost URL as you did with the Dialoguser authentication module.

Hi Markus,

In V9, I am able to authenticate using OAuth and it works now.

But I have one more query, as we have only windows authentication enabled at IIS end for application server, so while testing APIs via PostMan it throws unauthorized error and in order to by pass this as per solution mentioned in  Rest API on 7.1 cannot authenticate by enabling anonymous authentication at IIS end OAuth 2.0 mechanism works perfectly via postman for API calls.

So, is enabling anonymous authentication the correct solution or does it have any other implications ? Should we also enable anonymous authentication in Production is it advisable. Because with only Windows Authentication enabled it requires the domain user login with which the application pool is configured at IIS end.

Could you please guide us on the above points and share your suggestion ?  

In regards to Postman and Windows Auth, this here might be of use. https://mejustandrew.medium.com/postman-401-unathorized-using-ntlm-a996fbf072bf

Speaking generally, if Windows Auth is enabled at the IIS then - before the request is routed to the AppServer - the IIS tries to authorize you. And if your Postman call is not able to do so the request fails.