Social based authentication to Facebook fails with NAM 4.1

  • 7016820
  • 04-Sep-2015
  • 04-Sep-2015


NetIQ Access Manager 4.1
Social Authentication class enabled at Identity Server
Users login via Facebook accounts


Access Manager setup and working fine. Needed to role out a new application, accelerated by the Access Gateway, where users could authenticate via Social Class with Facebook. This worked great for the last few months but as of a few weeks ago the web application developers are seeing abnormal behaviour in the sense that the browser loops trying to enable a session without success.

Facebook appear to have updated the OAuth APIs and changed the permission management, which may be causing the issue.Looking at the IDP catalina.out details we can see the following exception:


<amLogEntry> 2015-09-02T15:04:47Z VERBOSE NIDS Application: Executing authentication method Facebook-PrototipoLabAngular </amLogEntry>, Line: 175, Method: verifyResponse, Line: 102, Method: verifyResponse, Line: 188, Method: doVerifyResponse, Line: 178, Method: verifyResponse, Line: 184, Method: connect

y, Line: 2584, Method: F

y, Line: 2675, Method: E

y, Line: 618, Method: doAuthenticate

y, Line: 1650, Method: authenticate

y, Line: 1639, Method: A

Fiddler also shows that thestatus returned includes the following message:


error_message Invalid Scopes: publish_stream. This message is only shown to developers. Users of your app will ignore these permissions if present. Please read the documentation for valid permissions at:


There is a newer socialauth build from github (open source provider of solution) that fixes the problem available at Download it and copy the socialauth-4.9.jar (remove the socialauth-4.4.jar NAM currently ships with) to the IDP server (/opt/novell/nam/idp/webapps/nidp/WEB-INF/lib/) and restart the IDP server.

Fix will be included in 4.2.