NetIQ Access manager NIDP server returns: "400 Bad Request" on OAuth Access Token Request

  • 7021384
  • 13-Sep-2017
  • 13-Sep-2017

Environment

Access Manager 4.3.1
Access Manager 4.3.2

Situation

  • NetIQ Access manager 4.3.x IDP server cluster configured for OAuth

  • Access Token request fails as soon as the client will get switched between cluster nodes reporting the error:

    HTTP Status 400 - Bad Request
    type
    Status report

    message
    Bad Request

    description
    The request sent by the client was syntactically incorrect.

  • The NIDP Server catalina.out reports

    <amLogEntry> 2017-09-13T12:07:51Z DEBUG NIDS Application:
    Method: JNDILogEventListener.accept
    Thread: ajp-bio-127.0.0.1-9019-exec-16
    getNextConnection() attempting to get preferred replica from the IPreferredReplica interface </amLogEntry>

    <amLogEntry> 2017-09-13T12:07:51Z SEVERE NIDS Application: AM#100105005: AMDEVICEID#9CBE4302EF3DDAA3:  Error updating user accout status after calling Login Policy Check LDAP Extension for user cn=admin,o=novell on user store DUS-LAB-NPS. Error code: -1659. </amLogEntry>

    <amLogEntry> 2017-09-13T12:07:51Z SEVERE NIDS Session Logger: com.novell.nam.nidp.oauth.core.TokenEndpoint: null </amLogEntry>

    <amLogEntry> 2017-09-13T12:07:51Z INFO NIDS Session Logger: com.novell.nam.nidp.oauth.nidp.servlets.OAuthApplication: 88 * Server responded with a response on thread ajp-bio-127.0.0.1-9019-exec-16
    88 < 400
    88 < Content-Type: text/plain

Resolution

Configure an LDAP proxy user with admin rights to the LDAP userstore

Cause

The LDAP proxy user used to access the userstore does not have admit rights to the tree which are required with the current version of NAM

Additional Information

Troubleshooting:

Enable OAuth debug logging:

  • enable the following NIDP cluster logging options:
       Enable File Logging
       Echo To Console,
       Component File logger Levels:
          "Application:" + "OAuth & OpenID Connect:"  = debug"

  • edit the NDIP server logging config file: vi /opt/novell/nids/lib/webapp/WEB-INF/classes/log4j.properties and apply the following settings:
==========================================================
# Set root logger priority to FATAL and its only appender to CONSOLE.
#log4j.rootCategory=FATAL, CONSOLE
log4j.rootCategory=DEBUG, CONSOLE

# CONSOLE is set to be a ConsoleAppender using a PatternLayout.
log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
#log4j.appender.CONSOLE.Threshold=FATAL
log4j.appender.CONSOLE.Threshold=DEBUG
log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n
#
# added for OAuth debugging
log4j.logger.org.brickred.socialauth=DEBUG
log4j.logger.org.brickred.socialauth.provider=DEBUG
==========================================================