NetIQ Access manager NIDP server returns: "invalid_code: code invalid or already used" on OAuth Access Token request

  • 7021386
  • 13-Sep-2017
  • 15-Jan-2019

Environment

  • Access Manager 4.3.2
  • Access Manager 4.4.0

Situation

  • Requesting an OAuth Access Token (Authorization Code Grant Flow)
  • NIDP server returns the error:
    {
            "error":"invalid_code",
            "error_description":"invalid_code: code invalid or already used"
  • The problem only shows up in a clustered environment and works fine with a single NIDP server node
  • The OAuth web client does not make use of any NAM Session cookie like the JSESSIONID cookie for the NIDP server

Resolution

  • The issue has been addressed to engineering
  • a fix has been added to NAM 4.4.1 to address this issue
  • a fix will be added to NAM 4.3.3

Cause

Since SP2 an issued Authorization code can only be used once. The problem comes up in a clustered environment in case the NIDP cluster node who authenticated the user and issued the Authorization Token goes down and the OAuth client has been switched to another cluster node for running the Access Token Request.

Additional Information

Troubleshooting:

Enable OAuth debug logging:

  • enable the following NIDP cluster logging options:
       Enable File Logging
       Echo To Console,
       Component File logger Levels:
          "Application:" + "OAuth & OpenID Connect:"  = debug"

  • edit the NDIP server logging config file: vi /opt/novell/nids/lib/webapp/WEB-INF/classes/log4j.properties and apply the following settings:
==========================================================
# Set root logger priority to FATAL and its only appender to CONSOLE.
#log4j.rootCategory=FATAL, CONSOLE
log4j.rootCategory=DEBUG, CONSOLE

# CONSOLE is set to be a ConsoleAppender using a PatternLayout.
log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
#log4j.appender.CONSOLE.Threshold=FATAL
log4j.appender.CONSOLE.Threshold=DEBUG
log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n
#
# added for OAuth debugging
log4j.logger.org.brickred.socialauth=DEBUG
log4j.logger.org.brickred.socialauth.provider=DEBUG
==========================================================

Feedback service temporarily unavailable. For content questions or problems, please contact Support.