WebSphere Application Server & Liberty

 View Only
Expand all | Collapse all

Redirect to OpenID Relying Party fails with SECJ0126E: Trust Association failed during validation

  • 1.  Redirect to OpenID Relying Party fails with SECJ0126E: Trust Association failed during validation

    Posted Tue July 12, 2022 11:32 AM
    Hello IBM Folks,

    we are currently facing a problem when an OpenID OP redirects the user agent (browser) the the relying party configured on a traditional WebSphere 9. The OP redirects the browser after an successful authorization with the redirect URI containing the authorization code. We get the following exception:

    [12.07.22 16:48:41:498 MESZ] 00000c25 RelyingParty E CWTAI2007E: Die OpenID Connect-Relying Party (RP) hat bei der Anmeldung einen Fehler festgestellt. Ausnahme: [ResponseCode: 400]. Suchen Sie in den Protokollen nach den Einzelheiten, die zu dieser Ausnahme geführt haben.
    [12.07.22 16:48:41:499 MESZ] 00000c25 WebAuthentica E SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: Die OpenID Connect-Relying Party (RP) hat bei der Anmeldung einen Fehler festgestellt. Ausnahme: [ResponseCode: 400]. Suchen Sie in den Protokollen nach den Einzelheiten, die zu dieser Ausnahme geführt haben.
    at com.ibm.ws.security.oidc.client.RelyingParty.getTokensFromProvider(RelyingParty.java:914)
    at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:718)
    at com.ibm.ws.security.oidc.client.RelyingParty.negotiateValidateandEstablishTrust(RelyingParty.java:334)
    at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablishedTrust(TAIWrapper.java:103)
    at com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation(WebAuthenticator.java:440)
    at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:3156)
    at com.ibm.ws.security.web.WebCollaborator.SetAuthenticatedSubjectIfNeeded(WebCollaborator.java:3552)
    at com.ibm.ws.security.web.WebCollaborator.authorize(WebCollaborator.java:862)
    at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:450)
    at com.ibm.ws.webcontainer.collaborator.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:230)
    at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:436)
    at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1101)
    at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4238)
    at com.ibm.ws.webcontainer.webapp.WebAppImpl.handleRequest(WebAppImpl.java:2210)
    at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
    at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1033)
    at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
    at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
    at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
    at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:88)
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:558)
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:608)
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:985)
    at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1074)
    at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
    . Make sure that the setup is correct and that the user credentials are valid.

    Can you give an advice where we should look for to solve this problem.

    Thank you and kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------


  • 2.  RE: Redirect to OpenID Relying Party fails with SECJ0126E: Trust Association failed during validation

    Posted Wed July 13, 2022 05:46 AM
    Hello,

    we solved this probelm! The access-token endpoint was not correctly configured in the RP interceptor (the URL contained a blank).

    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------



  • 3.  RE: Redirect to OpenID Relying Party fails with SECJ0126E: Trust Association failed during validation

    Posted Thu July 20, 2023 01:42 AM

    hi Thomas,

    We are currently working on SSO configuration with ForgeRock Open Client and we are facing the same issue. There is no additional space in authorization url or the token url. Our understanding of the current issue is that the OP is not able to validate the certificate passed from the WAS RP while generating the authorization token, if we explicitly send the certificate as a header in CURL or postman, we are able to generate the access token, whereas the call routed from Websphere fails, any pointers on configuring WAS with OpenClient will be of great help, TIA.

    Regards,

    Karthick Ramanujam.



    ------------------------------
    Karthick Ramanujam
    ------------------------------