Hello IBM Folks,
we are currently facing a problem when an OpenID OP redirects the user agent (browser) the the relying party configured on a traditional WebSphere 9. The OP redirects the browser after an successful authorization with the redirect URI containing the authorization code. We get the following exception:
[12.07.22 16:48:41:498 MESZ] 00000c25 RelyingParty E CWTAI2007E: Die OpenID Connect-Relying Party (RP) hat bei der Anmeldung einen Fehler festgestellt. Ausnahme: [ResponseCode: 400]. Suchen Sie in den Protokollen nach den Einzelheiten, die zu dieser Ausnahme geführt haben.
[12.07.22 16:48:41:499 MESZ] 00000c25 WebAuthentica E SECJ0126E: Trust Association failed during validation. The exception is com.ibm.websphere.security.WebTrustAssociationFailedException: CWTAI2007E: Die OpenID Connect-Relying Party (RP) hat bei der Anmeldung einen Fehler festgestellt. Ausnahme: [ResponseCode: 400]. Suchen Sie in den Protokollen nach den Einzelheiten, die zu dieser Ausnahme geführt haben.
at com.ibm.ws.security.oidc.client.RelyingParty.getTokensFromProvider(RelyingParty.java:914)
at com.ibm.ws.security.oidc.client.RelyingParty.handleSigninCallback(RelyingParty.java:718)
at com.ibm.ws.security.oidc.client.RelyingParty.negotiateValidateandEstablishTrust(RelyingParty.java:334)
at com.ibm.ws.security.web.TAIWrapper.negotiateAndValidateEstablishedTrust(TAIWrapper.java:103)
at com.ibm.ws.security.web.WebAuthenticator.handleTrustAssociation(WebAuthenticator.java:440)
at com.ibm.ws.security.web.WebAuthenticator.authenticate(WebAuthenticator.java:3156)
at com.ibm.ws.security.web.WebCollaborator.SetAuthenticatedSubjectIfNeeded(WebCollaborator.java:3552)
at com.ibm.ws.security.web.WebCollaborator.authorize(WebCollaborator.java:862)
at com.ibm.ws.security.web.EJSWebCollaborator.preInvoke(EJSWebCollaborator.java:450)
at com.ibm.ws.webcontainer.collaborator.WebAppSecurityCollaboratorImpl.preInvoke(WebAppSecurityCollaboratorImpl.java:230)
at com.ibm.wsspi.webcontainer.collaborator.CollaboratorHelper.preInvokeCollaborators(CollaboratorHelper.java:436)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1101)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4238)
at com.ibm.ws.webcontainer.webapp.WebAppImpl.handleRequest(WebAppImpl.java:2210)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1033)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:382)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:465)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:532)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:318)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:88)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:558)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:608)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:985)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1074)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
. Make sure that the setup is correct and that the user credentials are valid.
Can you give an advice where we should look for to solve this problem.
Thank you and kind regards
Thomas
------------------------------
Thomas Mayr
------------------------------