IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

IBM Verify Identity Access - Can't add groups claim in id_token if user has more than 7 groups

  • 1.  IBM Verify Identity Access - Can't add groups claim in id_token if user has more than 7 groups

    Posted 4 hours ago

    Hi,

    We have deployed IVIA 11 on OpenShift cluster and configured OIDC provider and Oauth2 client. Everything works as expected but groups claim doesn't add in id_token if user has more than 7 groups in Verify Directory Server. Is there any limitation on number of groups to return in id_token? 

    I observed below log entries in runtime pod.

    {"type":"liberty_message","host":"verifyaccess-runtime-75488889c4-8dwln","ibm_userDir":"\/opt\/ibm\/wlp\/usr\/","ibm_serverName":"runtime","message":"org.postgresql.util.PSQLException: ERROR: value too long for type character varying(256)\n\tat org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2676)\n\tat org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2366)\n\tat org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:356)\n\tat org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:496)\n\tat org.postgresql.jdbc.PgStatement.execute(PgStatement.java:413)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:190)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:152)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.postgresql.ds.PGPooledConnection$StatementHandler.invoke(PGPooledConnection.java:441)\n\tat jdk.proxy12.$Proxy46.executeUpdate(Unknown Source)\n\tat com.ibm.ws.rsadapter.jdbc.WSJdbcPreparedStatement.executeUpdate(WSJdbcPreparedStatement.java:522)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils$TokenExtraAttrDAO.insertOrUpdateAttribute(OAuthMappingExtUtils.java:393)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1442)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1405)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.mozilla.javascript.MemberBox.invoke(MemberBox.java:213)\n\tat org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:211)\n\tat org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11._c_script_0(OIDC_ProviderPostTokenGeneration:694)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:383)\n\tat org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3940)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.exec(OIDC_ProviderPostTokenGeneration)\n\tat 

    Thanks

    Regards

    SK



    ------------------------------
    Someswara Reddy Karem
    ------------------------------


Related Content