Authentication failed with OpenID connect

You need to check the web portal logs

I found the below information in web portal logs

2020-09-21 15:24:32.0741 ERROR ( ObjectLog) : Failed to authenticate user using OAuth2/Open ID Connect. System.Security.Cryptography.CryptographicException: Cannot find the requested object.at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)

at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertFileType(String fileName)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName)
at QER.OAuthAuthentifier.OAuth.<_GetSigningCertificatesFromServerAsync>d__17.MoveNext()

8.1.3

just FYI We have two web servers behind the DNS, i am not sure about what kind of certificates is giving the problem

It sounds as if you are using a certificate for the Identity Provider this is why the X509 log lines I would expect. I don't know if you went through the wizard manually or not but in the screen shot below is where you would have entered the certificate information

Yes you are correct we are using IDP cert here, We went through the wizard automatically , but we entered the cert details manually . 

The error message implies that the web portal is unable to access the cert.

All the root/intermediate certs are installed on the Web servers, Is this error means web server is not able to access the IDP certs?

Error after enabling debug mode

2020-09-24 07:52:29.0128 DEBUG ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Certificate was not found in local store.
2020-09-24 07:52:29.0128 DEBUG ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Certificate: Using certificate endpoint configured by identity client definition.
2020-09-24 07:52:29.0128 TRACE ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Getting signing certificate from URL https.........
2020-09-24 07:52:29.0909 ERROR ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Failed to authenticate user using OAuth2/Open ID Connect. System.Security.Cryptography.CryptographicException: Cannot find the requested object.

The IDP cert is added to the trust store of web servers,  not sure what we are doing incorrect here , any suggestions?

Are you sure, that your IDP is providing a certificate endpoint and that it provides the token signing certificate from there? It's normally different from the SSL/TLS certificate the server is using.

Without seeing the complete configuration, it is hard to guess what exactly is going wrong so I suggest contacting support to be able to share these confidential configuration items.

We imported the cert to the personal keystore , now we are getting  a new error

We imported the cert to the personal keystore , now we are getting  a new error

There is a new configuration parameter that was newly introduced in v8.1.3 which allows you to control the setting of the flag ShowPII.

The configuration parameter is "QBM\DebugMode\OAuth2\LogPersonalInfoOnException" By enabling this parameter, it allows support of troubleshooting in OAuth 2.0/OpenID Connect authentication where you can log personal login data, such as information about tokens or issuers. The log is written to the object log file (<appName>_object.log) of the respective One Identity Manager component.

Please find this mentioned in our documentation :

- Release notes:
https://support.oneidentity.com/technical-documents/identity-manager/8.1.3/release-notes#TOPIC-1474354

- Authorization and Authentication guide:
https://support.oneidentity.com/technical-documents/identity-manager/8.1.3/authorization-and-authentication-guide/27#TOPIC-1480602

And what did you change? Just seeing the error is not really helpful.

we enabled the configuration parameter  "QBM\DebugMode\OAuth2\LogPersonalInfoOnException

I quote myself here:

Markus Weiss-Ehlers said:

Without seeing the complete configuration, it is hard to guess what exactly is going wrong so I suggest contacting support to be able to share these confidential configuration items.

So, either you are able to share your settings, especially the ones regarding the signing certificate, or you contact support.

Thanks Markus, Contacted the support team and waiting for there response, Can you please tell us if OIM  support the HS256 algorithm to validate an OpenID Connect ID token

HS256 should be supported as far as I know.

Thanks,

Hello , The login issue has been resolved, Thank you for all your suuport

the config param is set to off

QBM\DebugMode\OAuth2\LogPersonalInfoOnException

and we removed all the references of certificates since we are using the JSON end points

Suuport team provided the below information

if you want to use JSON end points, then values for tab certificate (certificate endpoint, certificate subject, thumbprint) and tab application (certificate endpoint, certificate subject, thumbprint) have to be cleared.

But now we are getting the below error while log out any ideas

{"error_description":"The endSession endpoint requires an id_token_hint parameter","error":"bad_request"}

URL is .../connect/endSession?client_id=xxxxxxxxxxxxxx

Sorry, but I do not have an idea about the logout. Please contact support, as you might already have.