NetIQ Access manager NIDP server returns: "invalid_code: code invalid or already used" on OAuth Access Token request

  • 7021386
  • 13-Sep-2017
  • 15-Jan-2019


  • Access Manager 4.3.2
  • Access Manager 4.4.0


  • Requesting an OAuth Access Token (Authorization Code Grant Flow)
  • NIDP server returns the error:
            "error_description":"invalid_code: code invalid or already used"
  • The problem only shows up in a clustered environment and works fine with a single NIDP server node
  • The OAuth web client does not make use of any NAM Session cookie like the JSESSIONID cookie for the NIDP server


  • The issue has been addressed to engineering
  • a fix has been added to NAM 4.4.1 to address this issue
  • a fix will be added to NAM 4.3.3


Since SP2 an issued Authorization code can only be used once. The problem comes up in a clustered environment in case the NIDP cluster node who authenticated the user and issued the Authorization Token goes down and the OAuth client has been switched to another cluster node for running the Access Token Request.

Additional Information


Enable OAuth debug logging:

  • enable the following NIDP cluster logging options:
       Enable File Logging
       Echo To Console,
       Component File logger Levels:
          "Application:" + "OAuth & OpenID Connect:"  = debug"

  • edit the NDIP server logging config file: vi /opt/novell/nids/lib/webapp/WEB-INF/classes/ and apply the following settings:
# Set root logger priority to FATAL and its only appender to CONSOLE.
#log4j.rootCategory=FATAL, CONSOLE
log4j.rootCategory=DEBUG, CONSOLE

# CONSOLE is set to be a ConsoleAppender using a PatternLayout.
log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n
# added for OAuth debugging