Hello community

ISAM is configured with OAuth/OIDC, authentication is working using e.g. JWT.IO.


Now, when configuring"OpenID Connect Relying Party" in WebSphere Application Server following the documentation, I do get an "Authorization failed" error message:
https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_oidconfigure.html




Security roles are properly set and shouldn't be the issue IMO; access_token, id_token and LTPA token are created and present.

[3/4/19 18:12:11:068 CET] 00000097 WebCollaborat 3 Saving previous subject Subject:
Principal: bernhard.hensler@timetoact.de">https://2fa.timetodemo.com/bernhard.hensler@timetoact.de
Public Credential: com.ibm.ws.security.auth.WSCredentialImpl@b4ddf3eb
Private Credential: {com.ibm.wsspi.security.cred.securityName=bernhard.hensler@timetoact.de, com.ibm.wsspi.security.cred.cacheKey=bernhard.hensler@timetoact.de-254386928-1808907307, com.ibm.wsspi.security.cred.uniqueId=user:https://2fa.timetodemo.com/bernhard.hensler@timetoact.de, token_type=bearer, access_token=cIaf8gIDvVABA9J5f4Es, id_token=eyJraWQiOiJfdWhQZGVHclRXeG9iRmVIMFhiempKcFJyenAzQ0I5bmtueDF5RlYxRy0wIiwiYWxnIjoiUlMyNTYifQ.eyJydF9oYXNoIjoiVU9YdW95TExSVHFDdmdMTGhPU2RDZyIsImlhdCI6MTU1MTcxOTUzMCwiaXNzIjoiaHR0cHM6Ly8yZmEudGltZXRvZGVtby5jb20iLCJhdF9oYXNoIjoiYkF1eG9zanlyQ01KTFM5aUJmY1VPQSIsInN1YiI6ImJlcm5oYXJkLmhlbnNsZXJAdGltZXRvYWN0LmRlIiwiZXhwIjoxNTUxNzIzMTMwLCJhdWQiOiJPSURDVGVzdCJ9.dTe_Ka_DZjH2nBejGn1MGW6fkpFZ7Ssw6Wa7rOpmVTTVgoj2bUdjt5Wfb90rjKCBz1bD5ULBAyKCR9cJ_f8xBwbl91zWZfVex6qNkletgUqBpCGMkSPRyEI2lcEgq63Xq45KQ2ymopqiwF2KSY09wwWQRBa1NAyQKwy7BtYf1DthuzqpFDTw_Mhc-4QimwD0VUryaLnR2WLiyKYPA_UdfGsT1v4_MQwvvUpWEWhnnfW1K0DQxnQIySsoDl-3H0eQcUFlHKTChVgxvWT6c7ONUq7L0Amn9AuLnJKXg3v9YLF-Tm2C9eVJlyI5VosMOGzLORKq50EQuBqWoYz9Mk22tg, com.ibm.wsspi.security.cred.realm=https://2fa.timetodemo.com, com.ibm.wsspi.security.cred.groups=[], refresh_token=OvN73FkhEFUJuBsXYqrDPG5I4lNbfPYJygFNJNFc}
Private Credential: com.ibm.ws.security.token.SingleSignonTokenImpl@eeb86e25
Private Credential: com.ibm.ws.security.token.AuthenticationTokenImpl@6c1059fb
Private Credential: com.ibm.ws.security.token.AuthorizationTokenImpl@6a8242bd


[3/4/19 18:12:11:070 CET] 00000097 WebCollaborat 3 checkAuthorization() failed, here is the message in the exception: Authorization failed, Not granted any of the required roles: All Role
[3/4/19 18:12:11:070 CET] 00000097 WebCollaborat A SECJ0129E: Authorization failed for user bernhard.hensler@timetoact.de:https://2fa.timetodemo.com while invoking GET on default_host://snoop, Authorization failed, Not granted any of the required roles: All Role


Cookies present in FireFox:


Anyone having an idea how to circle this issue in, tracing and log files don't help me any further?

In addition I am still lacking some understanding regarding the button "OIDC Login" on the login page - doing an OIDC login doesn't return anything - is that behaviour wanted or maybe even a wrong configuration on my side?


Thanks
bernhard

PS: this topic had also been added to the IAM forum!

------------------------------
Bernhard Hensler
------------------------------

Can you first click:
Applications > Application types > WebSphere enterprise applications >application_name. Under Detail Properties, click Security role to user/group mapping.
then check if you map the role to "All Authenticated in Trusted Realm"?

------------------------------
Chunlong Liang
------------------------------

Original Message:
Sent: 03-05-2019 06:38 AM
From: Bernhard Hensler
Subject: OIDC with WebSphere

Hello community

ISAM is configured with OAuth/OIDC, authentication is working using e.g. JWT.IO.


Now, when configuring"OpenID Connect Relying Party" in WebSphere Application Server following the documentation, I do get an "Authorization failed" error message:
https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_oidconfigure.html




Security roles are properly set and shouldn't be the issue IMO; access_token, id_token and LTPA token are created and present.

[3/4/19 18:12:11:068 CET] 00000097 WebCollaborat 3 Saving previous subject Subject:
Principal: bernhard.hensler@timetoact.de">https://2fa.timetodemo.com/bernhard.hensler@timetoact.de
Public Credential: com.ibm.ws.security.auth.WSCredentialImpl@b4ddf3eb
Private Credential: {com.ibm.wsspi.security.cred.securityName=bernhard.hensler@timetoact.de, com.ibm.wsspi.security.cred.cacheKey=bernhard.hensler@timetoact.de-254386928-1808907307, com.ibm.wsspi.security.cred.uniqueId=user:https://2fa.timetodemo.com/bernhard.hensler@timetoact.de, token_type=bearer, access_token=cIaf8gIDvVABA9J5f4Es, id_token=eyJraWQiOiJfdWhQZGVHclRXeG9iRmVIMFhiempKcFJyenAzQ0I5bmtueDF5RlYxRy0wIiwiYWxnIjoiUlMyNTYifQ.eyJydF9oYXNoIjoiVU9YdW95TExSVHFDdmdMTGhPU2RDZyIsImlhdCI6MTU1MTcxOTUzMCwiaXNzIjoiaHR0cHM6Ly8yZmEudGltZXRvZGVtby5jb20iLCJhdF9oYXNoIjoiYkF1eG9zanlyQ01KTFM5aUJmY1VPQSIsInN1YiI6ImJlcm5oYXJkLmhlbnNsZXJAdGltZXRvYWN0LmRlIiwiZXhwIjoxNTUxNzIzMTMwLCJhdWQiOiJPSURDVGVzdCJ9.dTe_Ka_DZjH2nBejGn1MGW6fkpFZ7Ssw6Wa7rOpmVTTVgoj2bUdjt5Wfb90rjKCBz1bD5ULBAyKCR9cJ_f8xBwbl91zWZfVex6qNkletgUqBpCGMkSPRyEI2lcEgq63Xq45KQ2ymopqiwF2KSY09wwWQRBa1NAyQKwy7BtYf1DthuzqpFDTw_Mhc-4QimwD0VUryaLnR2WLiyKYPA_UdfGsT1v4_MQwvvUpWEWhnnfW1K0DQxnQIySsoDl-3H0eQcUFlHKTChVgxvWT6c7ONUq7L0Amn9AuLnJKXg3v9YLF-Tm2C9eVJlyI5VosMOGzLORKq50EQuBqWoYz9Mk22tg, com.ibm.wsspi.security.cred.realm=https://2fa.timetodemo.com, com.ibm.wsspi.security.cred.groups=[], refresh_token=OvN73FkhEFUJuBsXYqrDPG5I4lNbfPYJygFNJNFc}
Private Credential: com.ibm.ws.security.token.SingleSignonTokenImpl@eeb86e25
Private Credential: com.ibm.ws.security.token.AuthenticationTokenImpl@6c1059fb
Private Credential: com.ibm.ws.security.token.AuthorizationTokenImpl@6a8242bd


[3/4/19 18:12:11:070 CET] 00000097 WebCollaborat 3 checkAuthorization() failed, here is the message in the exception: Authorization failed, Not granted any of the required roles: All Role
[3/4/19 18:12:11:070 CET] 00000097 WebCollaborat A SECJ0129E: Authorization failed for user bernhard.hensler@timetoact.de:https://2fa.timetodemo.com while invoking GET on default_host://snoop, Authorization failed, Not granted any of the required roles: All Role


Cookies present in FireFox:


Anyone having an idea how to circle this issue in, tracing and log files don't help me any further?

In addition I am still lacking some understanding regarding the button "OIDC Login" on the login page - doing an OIDC login doesn't return anything - is that behaviour wanted or maybe even a wrong configuration on my side?


Thanks
bernhard

PS: this topic had also been added to the IAM forum!

------------------------------
Bernhard Hensler
------------------------------

The trick in my case was to add the OIDC iss to WebSpheres "Global Security > Federated Repository > Trusted authentication realms - inbound" and TO the "provider_<id>.issuerIdentifier" in the TAI configuration for the OIDC RP partner.

------------------------------
Bernhard Hensler
------------------------------

Original Message:
Sent: 03-05-2019 11:29 AM
From: Chunlong Liang
Subject: OIDC with WebSphere

Can you first click:
Applications > Application types > WebSphere enterprise applications >application_name. Under Detail Properties, click Security role to user/group mapping.
then check if you map the role to "All Authenticated in Trusted Realm"?

------------------------------
Chunlong Liang

Original Message:
Sent: 03-05-2019 06:38 AM
From: Bernhard Hensler
Subject: OIDC with WebSphere

Hello community

ISAM is configured with OAuth/OIDC, authentication is working using e.g. JWT.IO.


Now, when configuring"OpenID Connect Relying Party" in WebSphere Application Server following the documentation, I do get an "Authorization failed" error message:
https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_oidconfigure.html




Security roles are properly set and shouldn't be the issue IMO; access_token, id_token and LTPA token are created and present.

[3/4/19 18:12:11:068 CET] 00000097 WebCollaborat 3 Saving previous subject Subject:
Principal: bernhard.hensler@timetoact.de">https://2fa.timetodemo.com/bernhard.hensler@timetoact.de
Public Credential: com.ibm.ws.security.auth.WSCredentialImpl@b4ddf3eb
Private Credential: {com.ibm.wsspi.security.cred.securityName=bernhard.hensler@timetoact.de, com.ibm.wsspi.security.cred.cacheKey=bernhard.hensler@timetoact.de-254386928-1808907307, com.ibm.wsspi.security.cred.uniqueId=user:https://2fa.timetodemo.com/bernhard.hensler@timetoact.de, token_type=bearer, access_token=cIaf8gIDvVABA9J5f4Es, id_token=eyJraWQiOiJfdWhQZGVHclRXeG9iRmVIMFhiempKcFJyenAzQ0I5bmtueDF5RlYxRy0wIiwiYWxnIjoiUlMyNTYifQ.eyJydF9oYXNoIjoiVU9YdW95TExSVHFDdmdMTGhPU2RDZyIsImlhdCI6MTU1MTcxOTUzMCwiaXNzIjoiaHR0cHM6Ly8yZmEudGltZXRvZGVtby5jb20iLCJhdF9oYXNoIjoiYkF1eG9zanlyQ01KTFM5aUJmY1VPQSIsInN1YiI6ImJlcm5oYXJkLmhlbnNsZXJAdGltZXRvYWN0LmRlIiwiZXhwIjoxNTUxNzIzMTMwLCJhdWQiOiJPSURDVGVzdCJ9.dTe_Ka_DZjH2nBejGn1MGW6fkpFZ7Ssw6Wa7rOpmVTTVgoj2bUdjt5Wfb90rjKCBz1bD5ULBAyKCR9cJ_f8xBwbl91zWZfVex6qNkletgUqBpCGMkSPRyEI2lcEgq63Xq45KQ2ymopqiwF2KSY09wwWQRBa1NAyQKwy7BtYf1DthuzqpFDTw_Mhc-4QimwD0VUryaLnR2WLiyKYPA_UdfGsT1v4_MQwvvUpWEWhnnfW1K0DQxnQIySsoDl-3H0eQcUFlHKTChVgxvWT6c7ONUq7L0Amn9AuLnJKXg3v9YLF-Tm2C9eVJlyI5VosMOGzLORKq50EQuBqWoYz9Mk22tg, com.ibm.wsspi.security.cred.realm=https://2fa.timetodemo.com, com.ibm.wsspi.security.cred.groups=[], refresh_token=OvN73FkhEFUJuBsXYqrDPG5I4lNbfPYJygFNJNFc}
Private Credential: com.ibm.ws.security.token.SingleSignonTokenImpl@eeb86e25
Private Credential: com.ibm.ws.security.token.AuthenticationTokenImpl@6c1059fb
Private Credential: com.ibm.ws.security.token.AuthorizationTokenImpl@6a8242bd


[3/4/19 18:12:11:070 CET] 00000097 WebCollaborat 3 checkAuthorization() failed, here is the message in the exception: Authorization failed, Not granted any of the required roles: All Role
[3/4/19 18:12:11:070 CET] 00000097 WebCollaborat A SECJ0129E: Authorization failed for user bernhard.hensler@timetoact.de:https://2fa.timetodemo.com while invoking GET on default_host://snoop, Authorization failed, Not granted any of the required roles: All Role


Cookies present in FireFox:


Anyone having an idea how to circle this issue in, tracing and log files don't help me any further?

In addition I am still lacking some understanding regarding the button "OIDC Login" on the login page - doing an OIDC login doesn't return anything - is that behaviour wanted or maybe even a wrong configuration on my side?


Thanks
bernhard

PS: this topic had also been added to the IAM forum!

------------------------------
Bernhard Hensler
------------------------------