Hi,

We have deployed IVIA 11 on OpenShift cluster and configured OIDC provider and Oauth2 client. Everything works as expected but groups claim doesn't add in id_token if user has more than 7 groups in Verify Directory Server. Is there any limitation on number of groups to return in id_token? 

I observed below log entries in runtime pod.

{"type":"liberty_message","host":"verifyaccess-runtime-75488889c4-8dwln","ibm_userDir":"\/opt\/ibm\/wlp\/usr\/","ibm_serverName":"runtime","message":"org.postgresql.util.PSQLException: ERROR: value too long for type character varying(256)\n\tat org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2676)\n\tat org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2366)\n\tat org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:356)\n\tat org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:496)\n\tat org.postgresql.jdbc.PgStatement.execute(PgStatement.java:413)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:190)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:152)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.postgresql.ds.PGPooledConnection$StatementHandler.invoke(PGPooledConnection.java:441)\n\tat jdk.proxy12.$Proxy46.executeUpdate(Unknown Source)\n\tat com.ibm.ws.rsadapter.jdbc.WSJdbcPreparedStatement.executeUpdate(WSJdbcPreparedStatement.java:522)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils$TokenExtraAttrDAO.insertOrUpdateAttribute(OAuthMappingExtUtils.java:393)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1442)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1405)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.mozilla.javascript.MemberBox.invoke(MemberBox.java:213)\n\tat org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:211)\n\tat org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11._c_script_0(OIDC_ProviderPostTokenGeneration:694)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:383)\n\tat org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3940)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.exec(OIDC_ProviderPostTokenGeneration)\n\tat 

Thanks

Regards

SK

------------------------------
Someswara Reddy Karem
------------------------------

Hi,

We have deployed IVIA 11 on OpenShift cluster and configured OIDC provider and Oauth2 client. Everything works as expected but groups claim doesn't add in id_token if user has more than 7 groups in Verify Directory Server. Is there any limitation on number of groups to return in id_token? 

I observed below log entries in runtime pod.

{"type":"liberty_message","host":"verifyaccess-runtime-75488889c4-8dwln","ibm_userDir":"\/opt\/ibm\/wlp\/usr\/","ibm_serverName":"runtime","message":"org.postgresql.util.PSQLException: ERROR: value too long for type character varying(256)\n\tat org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2676)\n\tat org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2366)\n\tat org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:356)\n\tat org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:496)\n\tat org.postgresql.jdbc.PgStatement.execute(PgStatement.java:413)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:190)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:152)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.postgresql.ds.PGPooledConnection$StatementHandler.invoke(PGPooledConnection.java:441)\n\tat jdk.proxy12.$Proxy46.executeUpdate(Unknown Source)\n\tat com.ibm.ws.rsadapter.jdbc.WSJdbcPreparedStatement.executeUpdate(WSJdbcPreparedStatement.java:522)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils$TokenExtraAttrDAO.insertOrUpdateAttribute(OAuthMappingExtUtils.java:393)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1442)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1405)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.mozilla.javascript.MemberBox.invoke(MemberBox.java:213)\n\tat org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:211)\n\tat org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11._c_script_0(OIDC_ProviderPostTokenGeneration:694)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:383)\n\tat org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3940)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.exec(OIDC_ProviderPostTokenGeneration)\n\tat 

Thanks

Regards

SK

This is not an uncommon issue in general for the various HVDB tables.  As Tom noted, the DBA can increase the size of the column.

Hi,

We have deployed IVIA 11 on OpenShift cluster and configured OIDC provider and Oauth2 client. Everything works as expected but groups claim doesn't add in id_token if user has more than 7 groups in Verify Directory Server. Is there any limitation on number of groups to return in id_token? 

I observed below log entries in runtime pod.

{"type":"liberty_message","host":"verifyaccess-runtime-75488889c4-8dwln","ibm_userDir":"\/opt\/ibm\/wlp\/usr\/","ibm_serverName":"runtime","message":"org.postgresql.util.PSQLException: ERROR: value too long for type character varying(256)\n\tat org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2676)\n\tat org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2366)\n\tat org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:356)\n\tat org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:496)\n\tat org.postgresql.jdbc.PgStatement.execute(PgStatement.java:413)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:190)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:152)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.postgresql.ds.PGPooledConnection$StatementHandler.invoke(PGPooledConnection.java:441)\n\tat jdk.proxy12.$Proxy46.executeUpdate(Unknown Source)\n\tat com.ibm.ws.rsadapter.jdbc.WSJdbcPreparedStatement.executeUpdate(WSJdbcPreparedStatement.java:522)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils$TokenExtraAttrDAO.insertOrUpdateAttribute(OAuthMappingExtUtils.java:393)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1442)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1405)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.mozilla.javascript.MemberBox.invoke(MemberBox.java:213)\n\tat org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:211)\n\tat org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11._c_script_0(OIDC_ProviderPostTokenGeneration:694)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:383)\n\tat org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3940)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.exec(OIDC_ProviderPostTokenGeneration)\n\tat 

Thanks

Regards

SK

Hi Nick & Tom,

Thanks for your prompt reply.

When I try to increase column size, I observed that attr_value type is character varying(256), if I increase to 512 or higher number, do you see any issues??is it best approach?

\d oauth20_token_extra_attribute
                    Table "public.oauth20_token_extra_attribute"
     Column      |            Type             | Collation | Nullable |   Default   
-----------------+-----------------------------+-----------+----------+-------------
 state_id        | character varying(256)      |           | not null | 
 attr_name       | character varying(256)      |           | not null | 
 attr_value      | character varying(256)      |           |          | 
 sensitive       | character(1)                |           |          | 'N'::bpchar
 read_only       | character(1)                |           |          | 'N'::bpchar
 last_updated_at | timestamp without time zone |           |          | 
Indexes:
    "oauth20_token_extra_attribute_pkey" PRIMARY KEY, btree (state_id, attr_name)
    "extraattr_name" btree (attr_name)
    "extraattr_state_id" btree (state_id)
Check constraints:
    "oauth20_token_extra_attribute_read_only_check" CHECK (read_only = ANY (ARRAY['Y'::bpchar, 'N'::bpchar]))
    "oauth20_token_extra_attribute_sensitive_check" CHECK (sensitive = ANY (ARRAY['Y'::bpchar, 'N'::bpchar]))

Thanks

Regards

SK

This is not an uncommon issue in general for the various HVDB tables.  As Tom noted, the DBA can increase the size of the column.

Hi,

We have deployed IVIA 11 on OpenShift cluster and configured OIDC provider and Oauth2 client. Everything works as expected but groups claim doesn't add in id_token if user has more than 7 groups in Verify Directory Server. Is there any limitation on number of groups to return in id_token? 

I observed below log entries in runtime pod.

{"type":"liberty_message","host":"verifyaccess-runtime-75488889c4-8dwln","ibm_userDir":"\/opt\/ibm\/wlp\/usr\/","ibm_serverName":"runtime","message":"org.postgresql.util.PSQLException: ERROR: value too long for type character varying(256)\n\tat org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2676)\n\tat org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2366)\n\tat org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:356)\n\tat org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:496)\n\tat org.postgresql.jdbc.PgStatement.execute(PgStatement.java:413)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:190)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:152)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.postgresql.ds.PGPooledConnection$StatementHandler.invoke(PGPooledConnection.java:441)\n\tat jdk.proxy12.$Proxy46.executeUpdate(Unknown Source)\n\tat com.ibm.ws.rsadapter.jdbc.WSJdbcPreparedStatement.executeUpdate(WSJdbcPreparedStatement.java:522)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils$TokenExtraAttrDAO.insertOrUpdateAttribute(OAuthMappingExtUtils.java:393)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1442)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1405)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.mozilla.javascript.MemberBox.invoke(MemberBox.java:213)\n\tat org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:211)\n\tat org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11._c_script_0(OIDC_ProviderPostTokenGeneration:694)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:383)\n\tat org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3940)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.exec(OIDC_ProviderPostTokenGeneration)\n\tat 

Thanks

Regards

SK

I have increased that column size on both Oracle and PostgreSQL with no issues.  It works fine to get you working quickly.

I will caution, however, I feel updating the code to separate the groups out into separate entries to be stored is a better solution (which shamefully I have not had time to do).  The reason is for long term maintainability.  For example, I had one instance where a database was migrated to a different platform, and they rebuilt it using the original schema file from the ISAM appliance.  Of course, that schema file from the appliance did not have the column size change.  Fast forward a couple weeks and I started getting calls asking why some users could not access applications and we traced it down to their groups claim being empty because they had too many groups and the write to the table failed because the column wasn't big enough (simply updating the column size again resolved the issue).  The other thing is, you cannot modify the internal HVDB on virtual appliances if you are using one, even for a lab, so that is another limitation.

Granted, on the flip side, a lot of custom modifications of the mapping rules can be tedious for teams to manage.  However, that is almost impossible to avoid if you are doing anything more than plain simple oauth/oidc with no frills, which isn't practical in today's development landscape.

Hi Nick & Tom,

Thanks for your prompt reply.

When I try to increase column size, I observed that attr_value type is character varying(256), if I increase to 512 or higher number, do you see any issues??is it best approach?

\d oauth20_token_extra_attribute
                    Table "public.oauth20_token_extra_attribute"
     Column      |            Type             | Collation | Nullable |   Default   
-----------------+-----------------------------+-----------+----------+-------------
 state_id        | character varying(256)      |           | not null | 
 attr_name       | character varying(256)      |           | not null | 
 attr_value      | character varying(256)      |           |          | 
 sensitive       | character(1)                |           |          | 'N'::bpchar
 read_only       | character(1)                |           |          | 'N'::bpchar
 last_updated_at | timestamp without time zone |           |          | 
Indexes:
    "oauth20_token_extra_attribute_pkey" PRIMARY KEY, btree (state_id, attr_name)
    "extraattr_name" btree (attr_name)
    "extraattr_state_id" btree (state_id)
Check constraints:
    "oauth20_token_extra_attribute_read_only_check" CHECK (read_only = ANY (ARRAY['Y'::bpchar, 'N'::bpchar]))
    "oauth20_token_extra_attribute_sensitive_check" CHECK (sensitive = ANY (ARRAY['Y'::bpchar, 'N'::bpchar]))

Thanks

Regards

SK

This is not an uncommon issue in general for the various HVDB tables.  As Tom noted, the DBA can increase the size of the column.

Hi,

We have deployed IVIA 11 on OpenShift cluster and configured OIDC provider and Oauth2 client. Everything works as expected but groups claim doesn't add in id_token if user has more than 7 groups in Verify Directory Server. Is there any limitation on number of groups to return in id_token? 

I observed below log entries in runtime pod.

{"type":"liberty_message","host":"verifyaccess-runtime-75488889c4-8dwln","ibm_userDir":"\/opt\/ibm\/wlp\/usr\/","ibm_serverName":"runtime","message":"org.postgresql.util.PSQLException: ERROR: value too long for type character varying(256)\n\tat org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2676)\n\tat org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2366)\n\tat org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:356)\n\tat org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:496)\n\tat org.postgresql.jdbc.PgStatement.execute(PgStatement.java:413)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:190)\n\tat org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:152)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.postgresql.ds.PGPooledConnection$StatementHandler.invoke(PGPooledConnection.java:441)\n\tat jdk.proxy12.$Proxy46.executeUpdate(Unknown Source)\n\tat com.ibm.ws.rsadapter.jdbc.WSJdbcPreparedStatement.executeUpdate(WSJdbcPreparedStatement.java:522)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils$TokenExtraAttrDAO.insertOrUpdateAttribute(OAuthMappingExtUtils.java:393)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1442)\n\tat com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils.associate(OAuthMappingExtUtils.java:1405)\n\tat java.base\/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)\n\tat java.base\/java.lang.reflect.Method.invoke(Unknown Source)\n\tat org.mozilla.javascript.MemberBox.invoke(MemberBox.java:213)\n\tat org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:211)\n\tat org.mozilla.javascript.optimizer.OptRuntime.callN(OptRuntime.java:52)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11._c_script_0(OIDC_ProviderPostTokenGeneration:694)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:383)\n\tat org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3940)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.call(OIDC_ProviderPostTokenGeneration)\n\tat org.mozilla.javascript.gen.OIDC_ProviderPostTokenGeneration_11.exec(OIDC_ProviderPostTokenGeneration)\n\tat 

Thanks

Regards

SK