Social based authentication to Facebook fails with NAM 4.1

Document ID:7016820
Creation Date:04-Sep-2015
Modified Date:04-Sep-2015
- Micro Focus Products:
  Access Manager (NAM)

Environment

NetIQ Access Manager 4.1
Social Authentication class enabled at Identity Server
Users login via Facebook accounts

Situation

Access Manager setup and working fine. Needed to role out a new application, accelerated by the Access Gateway, where users could authenticate via Social Class with Facebook. This worked great for the last few months but as of a few weeks ago the web application developers are seeing abnormal behaviour in the sense that the browser loops trying to enable a session without success.

Facebook appear to have updated the OAuth APIs and changed the permission management, which may be causing the issue.Looking at the IDP catalina.out details we can see the following exception:

<amLogEntry> 2015-09-02T15:04:47Z VERBOSE NIDS Application: Executing authentication method Facebook-PrototipoLabAngular </amLogEntry>

<amLogEntry> 2015-09-02T15:04:47Z WARNING NIDS Application: org.brickred.socialauth.exception.SocialAuthException: Error in url : https://graph.facebook.com/oauth/access_token?client_id=753355984762401&redirect_uri=https%3A%2F%2Fnamx.corp.netiq.net%2Fnidp%2Fjsp%2Fsocialauth_return.jsp&client_secret=4de81271c838c842b5253f2793&code=AQCGzhYaFJpYrFqwFO_bNO0VwjtKnu-N7XNTgZa7RQ5F-lp7DiExWabOJgirDCFFREKD4D-UIE9xXRJ09JYLGZAsa8OcryT4wlfTqHZQeHilKfkLnWUNPkuE_G_jP3aO-rBvqvVlgoLtRBku1EvMrpYd5JFN8KvYV1Rphs4J5NjvdwymfVrZsC87L8zi-ji4V5OVrTCmrUdL9hxpn1xK2kKwjQAaUmDSs2HMo_O_ayWNNfBPi0E013bZl-TESzQLmwYhHa1935M3DcwUxs4RERIIil_Uqr7D3uc-z5bCttdBs79vBYE2EHehu721bSOKXJDfG6OeRpq2KQAJ8XFmmLSf&grant_type=authorization_code

Exception message: "Error in url : https://graph.facebook.com/oauth/access_token?client_id=753355984762401&redirect_uri=https%3A%2F%2Fnamx.corp.netiq.net%2Fnidp%2Fjsp%2Fsocialauth_return.jsp&client_secret=71c838c842b5253f2793&code=AQCGzhYaFJpYrFqwFO_bNO0VwjtKnu-N7XNTgZa7RQ5F-lp7DiExWabOJgirDCFFREKD4D-UIE9xXRJ09JYLGZAsa8OcryT4wlfTqHZQeHilKfkLnWUNPkuE_G_jP3aO-rBvqvVlgoLtRBku1EvMrpYd5JFN8KvYV1Rphs4J5NjvdwymfVrZsC87L8zi-ji4V5OVrTCmrUdL9hxpn1xK2kKwjQAaUmDSs2HMo_O_ayWNNfBPi0E013bZl-TESzQLmwYhHa1935M3DcwUxs4RERIIil_Uqr7D3uc-z5bCttdBs79vBYE2EHehu721bSOKXJDfG6OeRpq2KQAJ8XFmmLSf&grant_type=authorization_code";

OAuth2.java, Line: 175, Method: verifyResponse

OAuth2.java, Line: 102, Method: verifyResponse

FacebookImpl.java, Line: 188, Method: doVerifyResponse

FacebookImpl.java, Line: 178, Method: verifyResponse

SocialAuthManager.java, Line: 184, Method: connect

y, Line: 2584, Method: F

y, Line: 2675, Method: E

y, Line: 618, Method: doAuthenticate

y, Line: 1650, Method: authenticate

y, Line: 1639, Method: A

Fiddler also shows that thestatus returned includes the following message:

error_message Invalid Scopes: publish_stream. This message is only shown to developers. Users of your app will ignore these permissions if present. Please read the documentation for valid permissions at: https://developers.facebook.com/docs/facebook-login/permissions

Resolution

There is a newer socialauth build from github (open source provider of solution) that fixes the problem available at https://github.com/3pillarlabs/socialauth#whats-new-in-version-49. Download it and copy the socialauth-4.9.jar (remove the socialauth-4.4.jar NAM currently ships with) to the IDP server (/opt/novell/nam/idp/webapps/nidp/WEB-INF/lib/) and restart the IDP server.

Fix will be included in 4.2.