Environment
NetIQ Access Manager 4.2
Situation
Access Manager 4.1.1 setup with OAUth/OpenID Connect apps enabled and all working well. The Applications are using the Authorization flow to retrieve authorization code and subsequent access tokens. Environment is then upgraded to Access Manager 4.2 (Admin Console only initially) and all OAuth applications fail. The users would be prompted to login, authorize scope information but would then get an Application error.
Fiddler traces show that the authorization code was sent to the app before the error. The Application is responsible for taking the code and sending it to the IDP server to exchange for an access token.
Looking at the IDP catalina log files, we could see that the authorization code was sent to the token endpoint to retrieve an access token, but that the following error was returned: pired <amLogEntry> 2016-02-10T16:38:01Z INFO NIDS Session Logger: com.novell.nam.nidp.oauth.nidp.servlets.OAuthApplication: 7523 * Server has received a request on thread http-nio-172.24.248.100-8443-exec-3 7523 > POST https://login.netiq.com/nidp/oauth/nam/token 7523 > accept: application/json, application/x-www-form-urlencoded 7523 > authorization: Basic NxxxxxxxxxxxxxxxxxxxxxxxxxxxxB 7523 > cache-control: no-cache 7523 > connection: keep-alive 7523 > content-length: 730 7523 > content-type: application/x-www-form-urlencoded 7523 > host: login.netiq.com 7523 > pragma: no-cache 7523 > user-agent: Java/1.8.0_40 </amLogEntry> <amLogEntry> 2016-02-10T16:38:01Z INFO NIDS Session Logger: com.novell.nam.nidp.oauth.nidp.servlets.NIDPKeyService: Searching enc key with alias name=OAuth2_Enc_key_0 </amLogEntry> <amLogEntry> 2016-02-10T16:38:01Z INFO NIDS Session Logger: com.novell.nam.nidp.oauth.nidp.servlets.NIDPKeyService: Searching signing key with alias name=OAuth2_Signing_key_0 </amLogEntry> <amLogEntry> 2016-02-10T16:38:01Z INFO NIDS Session Logger: com.novell.nam.nidp.oauth.core.TokenServiceImpl: Generate Authorization token success </amLogEntry> <amLogEntry> 2016-02-10T16:38:01Z WARNING NIDS Session Logger: com.novell.nam.nidp.oauth.core.M: invalid_grant. authorization code expired </amLogEntry>
We were generating a timeout error even though all nodes are in sync timewise.
Resolution
There are two solutions possible:
a) upgrade the AC and IDP servers at the same time
b) if all IDP servers cannot be upgraded at the same time as the AC, go to the OAuth global settings and set the timeouts to a very high value eg. 9999999999. When the IDP servers have all been upgraded to 4.2, drop the timeouts back to the original values.
a) upgrade the AC and IDP servers at the same time
b) if all IDP servers cannot be upgraded at the same time as the AC, go to the OAuth global settings and set the timeouts to a very high value eg. 9999999999. When the IDP servers have all been upgraded to 4.2, drop the timeouts back to the original values.
Cause
A schema change was performed in 4.2 where OAUth timeouts were converted to milliseconds. Only when the IDP servers JAR files are updated to reflect these changes will everything function as before regarding timeouts. To workaround the issue, we assign large timeouts that are still large on a seconds factor compared to milliseconds.