NetIQ Access manager NIDP server returns: "400 Bad Request" on OAuth Access Token Request

  • 7021384
  • 13-Sep-2017
  • 13-Sep-2017


Access Manager 4.3.1
Access Manager 4.3.2


  • NetIQ Access manager 4.3.x IDP server cluster configured for OAuth

  • Access Token request fails as soon as the client will get switched between cluster nodes reporting the error:

    HTTP Status 400 - Bad Request
    Status report

    Bad Request

    The request sent by the client was syntactically incorrect.

  • The NIDP Server catalina.out reports

    <amLogEntry> 2017-09-13T12:07:51Z DEBUG NIDS Application:
    Method: JNDILogEventListener.accept
    Thread: ajp-bio-
    getNextConnection() attempting to get preferred replica from the IPreferredReplica interface </amLogEntry>

    <amLogEntry> 2017-09-13T12:07:51Z SEVERE NIDS Application: AM#100105005: AMDEVICEID#9CBE4302EF3DDAA3:  Error updating user accout status after calling Login Policy Check LDAP Extension for user cn=admin,o=novell on user store DUS-LAB-NPS. Error code: -1659. </amLogEntry>

    <amLogEntry> 2017-09-13T12:07:51Z SEVERE NIDS Session Logger: com.novell.nam.nidp.oauth.core.TokenEndpoint: null </amLogEntry>

    <amLogEntry> 2017-09-13T12:07:51Z INFO NIDS Session Logger: com.novell.nam.nidp.oauth.nidp.servlets.OAuthApplication: 88 * Server responded with a response on thread ajp-bio-
    88 < 400
    88 < Content-Type: text/plain


Configure an LDAP proxy user with admin rights to the LDAP userstore


The LDAP proxy user used to access the userstore does not have admit rights to the tree which are required with the current version of NAM

Additional Information


Enable OAuth debug logging:

  • enable the following NIDP cluster logging options:
       Enable File Logging
       Echo To Console,
       Component File logger Levels:
          "Application:" + "OAuth & OpenID Connect:"  = debug"

  • edit the NDIP server logging config file: vi /opt/novell/nids/lib/webapp/WEB-INF/classes/ and apply the following settings:
# Set root logger priority to FATAL and its only appender to CONSOLE.
#log4j.rootCategory=FATAL, CONSOLE
log4j.rootCategory=DEBUG, CONSOLE

# CONSOLE is set to be a ConsoleAppender using a PatternLayout.
log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n
# added for OAuth debugging