• State Suggested Answer
  • Replies 27 replies
  • Answers 1 answer
  • Subscribers 97 subscribers
  • Views 16593 views
  • Users 0 members are here
Options
Related

Authentication failed with OpenID connect

pprathapgirija
over 4 years ago

Hello All, 

We have integrated One Identity Manger with Forgerock AM . Once we enter the URL of the Web portal it redirects back to AM for authentication, after authentication it redirect back to the portal with the below error

The authentication process could not be completed. Contact your system administrator if the problem persists.

Failed to authenticate user.

Cannot find the requested object.

 

Got the below error message in the job queue

Login failed (Module: OAuth 2.0 / OpenID Connect (role based), Properties: , Identity: -, Client Machine: 10.11.46.133, Errors: [System.Security.Cryptography.CryptographicException] Cannot find the requested object.

 If anybody have any idea, please let us know.

Thanks,

Pranav

Parents
  • 0 over 4 years ago in reply to Troy Grandy

    I found the below information in web portal logs

    2020-09-21 15:24:32.0741 ERROR ( ObjectLog) : Failed to authenticate user using OAuth2/Open ID Connect. System.Security.Cryptography.CryptographicException: Cannot find the requested object.at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)

    at System.Security.Cryptography.X509Certificates.X509Utils._QueryCertFileType(String fileName)
    at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
    at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName)
    at QER.OAuthAuthentifier.OAuth.<_GetSigningCertificatesFromServerAsync>d__17.MoveNext()

  • 0 over 4 years ago in reply to pprathapgirija

    Error after enabling debug mode

    2020-09-24 07:52:29.0128 DEBUG ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Certificate was not found in local store.
    2020-09-24 07:52:29.0128 DEBUG ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Certificate: Using certificate endpoint configured by identity client definition.
    2020-09-24 07:52:29.0128 TRACE ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Getting signing certificate from URL https.........
    2020-09-24 07:52:29.0909 ERROR ( ObjectLog lrw0le5p2wd15ybdrwauau2y) : Failed to authenticate user using OAuth2/Open ID Connect. System.Security.Cryptography.CryptographicException: Cannot find the requested object.

  • 0 over 4 years ago in reply to pprathapgirija

    The IDP cert is added to the trust store of web servers,  not sure what we are doing incorrect here , any suggestions?

  • 0 over 4 years ago in reply to pprathapgirija

    Are you sure, that your IDP is providing a certificate endpoint and that it provides the token signing certificate from there? It's normally different from the SSL/TLS certificate the server is using.

    Without seeing the complete configuration, it is hard to guess what exactly is going wrong so I suggest contacting support to be able to share these confidential configuration items.

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    We imported the cert to the personal keystore , now we are getting  a new error

    Invalid access token.
    IDX10501: Signature validation failed. Unable to match keys: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]',
    token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.
  • 0 over 4 years ago in reply to pprathapgirija

    There is a new configuration parameter that was newly introduced in v8.1.3 which allows you to control the setting of the flag ShowPII.

    The configuration parameter is "QBM\DebugMode\OAuth2\LogPersonalInfoOnException" By enabling this parameter, it allows support of troubleshooting in OAuth 2.0/OpenID Connect authentication where you can log personal login data, such as information about tokens or issuers. The log is written to the object log file (<appName>_object.log) of the respective One Identity Manager component.

    Please find this mentioned in our documentation :

    - Release notes:
    https://support.oneidentity.com/technical-documents/identity-manager/8.1.3/release-notes#TOPIC-1474354

    - Authorization and Authentication guide:
    https://support.oneidentity.com/technical-documents/identity-manager/8.1.3/authorization-and-authentication-guide/27#TOPIC-1480602


  • 0 over 4 years ago in reply to Markus Weiss-Ehlers
    This below is the latest error
    Failed to authenticate user using OAuth2/Open ID Connect. System.FormatException: Input string was not in a correct format.
       at System.Text.StringBuilder.FormatError()
       at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider provider, String format, ParamsArray args)
       at System.String.FormatHelper(IFormatProvider provider, String format, ParamsArray args)
       at System.String.Format(IFormatProvider provider, String format, Object[] args)
       at Microsoft.IdentityModel.Logging.IdentityModelEventSource.PrepareMessage(EventLevel level, String message, Object[] args)
  • 0 over 4 years ago in reply to pprathapgirija

    And what did you change? Just seeing the error is not really helpful.

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    we enabled the configuration parameter  "QBM\DebugMode\OAuth2\LogPersonalInfoOnException

     

    : Failed to authenticate user using OAuth2/Open ID Connect. System.FormatException: Input string was not in a correct format.
       at System.Text.StringBuilder.FormatError()
       at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider provider, String format, ParamsArray args)
       at System.String.FormatHelper(IFormatProvider provider, String format, ParamsArray args)
       at System.String.Format(IFormatProvider provider, String format, Object[] args)
       at Microsoft.IdentityModel.Logging.IdentityModelEventSource.PrepareMessage(EventLevel level, String message, Object[] args)
       at Microsoft.IdentityModel.Logging.IdentityModelEventSource.WriteError(String message)
       at Microsoft.IdentityModel.Logging.IdentityModelEventSource.WriteError(String message, Object[] args)
       at Microsoft.IdentityModel.Logging.LogHelper.LogExceptionMessage(EventLevel eventLevel, Exception exception)
       at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
       at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
       at QER.OAuthAuthentifier.OAuth._ValidateToken(String token, String issuerName, String clientId, String nonce, Boolean openid, IEnumerable`1 signingKeys, Boolean showPiiInLog)
       at QER.OAuthAuthentifier.OAuth.<GetClaimsAsync>d__25.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  • 0 over 4 years ago in reply to pprathapgirija

    I quote myself here:

    Markus Weiss-Ehlers said:
    Without seeing the complete configuration, it is hard to guess what exactly is going wrong so I suggest contacting support to be able to share these confidential configuration items.

    So, either you are able to share your settings, especially the ones regarding the signing certificate, or you contact support.

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    Thanks Markus, Contacted the support team and waiting for there response, Can you please tell us if OIM  support the HS256 algorithm to validate an OpenID Connect ID token

Reply Children