• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 11 replies
  • Subscribers 102 subscribers
  • Views 3628 views
  • Users 0 members are here
Options
Related

Not able to Authenticate using Access token(in authentication header) for authentication to API server

iam oneidentity devops

With the implementation of the API server, we want to expose our One Identity Manager capabilities via API's within our organization. In our test setup we successfully managed to authenticate to the authentication API using the oauthrolebased api, and with the session token retrieved from this call we were able to do additional api calls. However this is not the required setup, because the systems we integrate with dont have an authorization code, but have already an Oauth access token. We red in the documentation this should also be possible by providing the access token as a bearer token in the authentication header of every api call(which makes the authentication api not needed anymore). However every time we send an api call with this bearer token, we get an error 401 token has expired(which is clearly not the case, because we just retrieved it with an api call to the authorization server). We wonder what is causing the issue, or whether this is not possible within OI.

Addition: 

We also tried what is described here, but this also gave an 500 internal server error:

 Identity Manager 9.0 LTS - Authorization and Authentication Guide (oneidentity.com)

Parents
  • +1

    Having talked with this specific customer (recognizing the name) this has been resolved (I'll give some more details for anyone else running into this problem).

    The bearer token in this case is being supplied by the UserInfo Endpoint of Microsoft (Detailed here: Microsoft identity platform UserInfo endpoint - Microsoft identity platform | Microsoft Learn ), which shows what fields / claims are present in the token.
    The One Identity system uses the configured OAuth 2.0/OpenID Connect configuration to try and match this bearer token to a user in One Identity.

    In the OAuth2.0 configuration (On the One Identity side) you define;

    -A search value

    -The Column to search

    -The user name value

    The search value is the field from the token that is retrieved and that it tries to match to a column. It was set to 'upn' (as this is most commonly used for the authentication on the web-frontend) but that doesn't work in this case. As can be seen in the Microsoft endpoint documentation UPN is not part of the UserInfo token (which is the normal bearer token if someone already has one).

    By changing the search value and user name values to Email and updating the Column to search from AADUser - UserPrincipalName to AADUser - Email this was resolved.

    So, yes you can authenticate against the APIServer by providing a bearer token as part of your request. But be sure that the search values and columns to search are part of the bearer token supplied, and be aware that the standard user info from Microsoft does not include the UPN. 

    Hopefully this'll help someone in the future :).

  • 0 in reply to Jos Groenewegen

    I have just run into this issue.  For me, I had a different reason where I can not use the email address.  I have a company that is going to be dealing with Cross-Tenant-Sync accounts within Entra.  These are accounts that exist in one or more tenants, but use the home tenant email address.  What I have found in OneID, is when you get it to look at the email address, it seems to select the LAST entry in DB that has that email address (I am needing to create sub-identities for each tenant as have different job roles etc).  In my case, I had two OAuth connectors.  If I OAuthed using one, it would select the AAD account that was attached to another tenant.  Therefore I went hunting about how to fix this.

    So, as stated, the default uses the UserInfo endpoint.  Even through it shows claims within response, you cannot select them.  Even the documentation (9.0 and 9.2.1) showed reference to using a UPN for this.  But it does not work.

    In the log file (trace enabled), I would get this (info scrubbed on purpose):

    2025-11-17 13:40:20.0660 TRACE ( ObjectLog ) : Got following claims in token:
    aud = 8ce636a
    iss = login.microsoftonline.com/.../v2.0
    iat = 1
    nbf = 176
    exp = 17
    email = Thisisanothertest@nmicrosoft.com
    name = Thisisanothertest
    nonce = 2VFeL9mHGCi8DyyBJ
    oid = 2faeafc1-e
    preferred_username = Thisisanothertest@onmicrosoft.com
    rh = 1.AWYABOQU0ymZVUuyUarJOlfshW0d7g9SjAPpmAA.
    sid = 00aa78b9-fd44-ea34
    sub = oxAx_ZgaF-Lb1bZHntM0oZU
    tid = d314e404-ab1
    uti = yVEd7WiO4E
    ver = 2.0
    2025-11-17 13:40:20.0660 TRACE ( ObjectLog ) : Getting user info from endpoint: graph.microsoft.com/.../userinfo
    2025-11-17 13:40:20.6812 ERROR ( ObjectLog ) : Failed to authenticate user using OAuth2/Open ID Connect. VI.Base.ViException: Claim 'oid' was not found.
    at QER.OAuthAuthentifier.OAuth.

    Notice how it says: Getting user info from endpoint:  graph.microsoft.com/.../userinfo

    If you go into the OAuth configuration in designer, and remove the offline_access scope, it will now look at other claims.  Example output looking at OID and matching it to AADUser.ID (the extract is what comes after list of claims from above):

    schemas.microsoft.com/.../tenantid = d314e404-9929f5b0ab1
    2025-11-18 16:40:19.4698 TRACE ( ObjectLog ) : No user info endpoint set -> Trying to get claim from id_token
    2025-11-18 16:40:19.4698 TRACE ( SqlLog ) : -- Connection 1 switched from Available to Working after comparison
    2025-11-18 16:40:19.4698 TRACE ( SqlLog ) : --> existing connection 1
    2025-11-18 16:40:19.4698 DEBUG ( SqlLog ) : (< 1 ms) - select p.UID_Person, p.InternalName
    from Person p
    join AADUser x on x.UID_Person = p.UID_Person
    WHERE (x.Id = '2faeafc1-eff7-4ef6f91dd77') and (p.IsInActive = 0) and (p.xmarkedfordeletion & 3 = 0) and (p.IsTemporaryDeactivated = 0)

    So, this seems to work.  Not sure of the repercussions of this however.

Reply
  • 0 in reply to Jos Groenewegen

    I have just run into this issue.  For me, I had a different reason where I can not use the email address.  I have a company that is going to be dealing with Cross-Tenant-Sync accounts within Entra.  These are accounts that exist in one or more tenants, but use the home tenant email address.  What I have found in OneID, is when you get it to look at the email address, it seems to select the LAST entry in DB that has that email address (I am needing to create sub-identities for each tenant as have different job roles etc).  In my case, I had two OAuth connectors.  If I OAuthed using one, it would select the AAD account that was attached to another tenant.  Therefore I went hunting about how to fix this.

    So, as stated, the default uses the UserInfo endpoint.  Even through it shows claims within response, you cannot select them.  Even the documentation (9.0 and 9.2.1) showed reference to using a UPN for this.  But it does not work.

    In the log file (trace enabled), I would get this (info scrubbed on purpose):

    2025-11-17 13:40:20.0660 TRACE ( ObjectLog ) : Got following claims in token:
    aud = 8ce636a
    iss = login.microsoftonline.com/.../v2.0
    iat = 1
    nbf = 176
    exp = 17
    email = Thisisanothertest@nmicrosoft.com
    name = Thisisanothertest
    nonce = 2VFeL9mHGCi8DyyBJ
    oid = 2faeafc1-e
    preferred_username = Thisisanothertest@onmicrosoft.com
    rh = 1.AWYABOQU0ymZVUuyUarJOlfshW0d7g9SjAPpmAA.
    sid = 00aa78b9-fd44-ea34
    sub = oxAx_ZgaF-Lb1bZHntM0oZU
    tid = d314e404-ab1
    uti = yVEd7WiO4E
    ver = 2.0
    2025-11-17 13:40:20.0660 TRACE ( ObjectLog ) : Getting user info from endpoint: graph.microsoft.com/.../userinfo
    2025-11-17 13:40:20.6812 ERROR ( ObjectLog ) : Failed to authenticate user using OAuth2/Open ID Connect. VI.Base.ViException: Claim 'oid' was not found.
    at QER.OAuthAuthentifier.OAuth.

    Notice how it says: Getting user info from endpoint:  graph.microsoft.com/.../userinfo

    If you go into the OAuth configuration in designer, and remove the offline_access scope, it will now look at other claims.  Example output looking at OID and matching it to AADUser.ID (the extract is what comes after list of claims from above):

    schemas.microsoft.com/.../tenantid = d314e404-9929f5b0ab1
    2025-11-18 16:40:19.4698 TRACE ( ObjectLog ) : No user info endpoint set -> Trying to get claim from id_token
    2025-11-18 16:40:19.4698 TRACE ( SqlLog ) : -- Connection 1 switched from Available to Working after comparison
    2025-11-18 16:40:19.4698 TRACE ( SqlLog ) : --> existing connection 1
    2025-11-18 16:40:19.4698 DEBUG ( SqlLog ) : (< 1 ms) - select p.UID_Person, p.InternalName
    from Person p
    join AADUser x on x.UID_Person = p.UID_Person
    WHERE (x.Id = '2faeafc1-eff7-4ef6f91dd77') and (p.IsInActive = 0) and (p.xmarkedfordeletion & 3 = 0) and (p.IsTemporaryDeactivated = 0)

    So, this seems to work.  Not sure of the repercussions of this however.

Children
  • 0 in reply to kelvin smith

    You could have just removed the user info endpoint from Designer for this configured Identity Provider. If this is populated then we will go to the User Info Endpoint but if you leave it empty then we get it from the token. The user info endpoint is not required to be populated. The problem with Entra ID's user info endpoint is that it is very limited in the claims that it provides - even Microsoft recommends not to use it - learn.microsoft.com/.../userinfo