IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Exception not catched with wrong clientId in OIDC code flow

    Posted Mon August 12, 2019 10:19 AM
    Hello Community,

    In ISAM 9.0.5, when we put a wrong clientId in autorize request, this error is not catched.

    https://host/mga/sps/oauth/oauth20/authorize?scope=openid&response_type=code&redirect_uri=https://host/sign-up/callback&client_id=Mskg1rR5jefQPLBXm&state=state


    In trace file , there is :
    [8/12/19 16:03:31:766 CEST] 0000deaa id= com.tivoli.am.fim.oauth20.util.OAuth20ContextHelper E getOAuth20Client FBTOAU203E The client with identifier: [Mskg1rR5jefQPLBXm] could not be found.
    [8/12/19 16:03:31:767 CEST] 0000deaa id= com.tivoli.am.fim.oauth20.util.OAuth20ContextHelper I getOAuth20Client com.tivoli.am.fim.oauth20.exception.OAuth20InvalidClientException: FBTOAU203E The client with identifier: [Mskg1rR5jefQPLBXm] could not be found.
    at com.tivoli.am.fim.oauth20.util.OAuth20ContextHelper.getOAuth20Client(OAuth20ContextHelper.java:235)
    at com.tivoli.am.fim.oauth20.util.OAuth20ContextHelper.getOAuth20Client(OAuth20ContextHelper.java:185)
    at com.tivoli.am.fim.oauth20.protocol.delegates.OAuth20AuthorizationDelegate.handleFromInitialRequest(OAuth20AuthorizationDelegate.java:629)
    at com.tivoli.am.fim.oauth20.protocol.delegates.OAuth20AuthorizationDelegate.processRequest(OAuth20AuthorizationDelegate.java:134)
    at com.tivoli.am.fim.fedmgr2.proper.FederationManager.doInitialRequestOnDelegate(FederationManager.java:424)
    at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(FederationManager.java:264)
    at com.tivoli.am.fim.fedmgr2.proper.FederationManager.processRequest(FederationManager.java:154)
    at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.doRequest(SSOPSServletBase.java:129)
    at com.tivoli.am.fim.fedmgr2.servlet.SPSCommandDispatcher.invoke(SPSCommandDispatcher.java:390)


    It there a specific configuration or code to catch this error ?
    Thanks in adavance for your help.




    ------------------------------
    ----------------------------
    Romuald Blondel
    ----------------------------
    ------------------------------


  • 2.  RE: Exception not catched with wrong clientId in OIDC code flow

    Posted Wed August 21, 2019 03:46 AM
    You can customize the error page template to deal with this.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Exception not catched with wrong clientId in OIDC code flow

    Posted Wed August 21, 2019 05:11 AM
    Thanks for your answer.
    We found a workaround
    We decided to block this request with our WAF as it's http 500



    ------------------------------
    Romuald Blondel
    ------------------------------

    Original Message