IBM Security Verify

 View Only

  • 1.  Exception not catched with wrong clientId in OIDC code flow

    Posted Mon August 12, 2019 10:19 AM
    Hello Community,

    In ISAM 9.0.5, when we put a wrong clientId in autorize request, this error is not catched.

    https://host/mga/sps/oauth/oauth20/authorize?scope=openid&response_type=code&redirect_uri=https://host/sign-up/callback&client_id=Mskg1rR5jefQPLBXm&state=state


    In trace file , there is :
    [8/12/19 16:03:31:766 CEST] 0000deaa id= com.tivoli.am.fim.oauth20.util.OAuth20ContextHelper E getOAuth20Client FBTOAU203E The client with identifier: [Mskg1rR5jefQPLBXm] could not be found.
    [8/12/19 16:03:31:767 CEST] 0000deaa id= com.tivoli.am.fim.oauth20.util.OAuth20ContextHelper I getOAuth20Client com.tivoli.am.fim.oauth20.exception.OAuth20InvalidClientException: FBTOAU203E The client with identifier: [Mskg1rR5jefQPLBXm] could not be found.
    at com.tivoli.am.fim.oauth20.util.OAuth20ContextHelper.getOAuth20Client(OAuth20ContextHelper.java:235)
    at com.tivoli.am.fim.oauth20.util.OAuth20ContextHelper.getOAuth20Client(OAuth20ContextHelper.java:185)
    at com.tivoli.am.fim.oauth20.protocol.delegates.OAuth20AuthorizationDelegate.handleFromInitialRequest(OAuth20AuthorizationDelegate.java:629)
    at com.tivoli.am.fim.oauth20.protocol.delegates.OAuth20AuthorizationDelegate.processRequest(OAuth20AuthorizationDelegate.java:134)
    at com.tivoli.am.fim.fedmgr2.proper.FederationManager.doInitialRequestOnDelegate(FederationManager.java:424)
    at com.tivoli.am.fim.fedmgr2.proper.FederationManager.finishProcessingWithDelegateId(FederationManager.java:264)
    at com.tivoli.am.fim.fedmgr2.proper.FederationManager.processRequest(FederationManager.java:154)
    at com.tivoli.am.fim.fedmgr2.servlet.SSOPSServletBase.doRequest(SSOPSServletBase.java:129)
    at com.tivoli.am.fim.fedmgr2.servlet.SPSCommandDispatcher.invoke(SPSCommandDispatcher.java:390)


    It there a specific configuration or code to catch this error ?
    Thanks in adavance for your help.




    ------------------------------
    ----------------------------
    Romuald Blondel
    ----------------------------
    ------------------------------


  • 2.  RE: Exception not catched with wrong clientId in OIDC code flow

    Posted Wed August 21, 2019 03:46 AM
    You can customize the error page template to deal with this.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Exception not catched with wrong clientId in OIDC code flow

    Posted Wed August 21, 2019 05:11 AM
    Thanks for your answer.
    We found a workaround
    We decided to block this request with our WAF as it's http 500



    ------------------------------
    Romuald Blondel
    ------------------------------

    Original Message