Problem: Access to the sample Liberty application testpage is redirected to Azure and the user authentication is successful (verified via fiddler trace). However, authorization fails with Error 403: error=access_denied
The WAS-Liberty profile (17.0.0.1) openConnectClient has been configured to use Azure for authorization.
There is a WebSphere APAR PI52604 which describes a similar issue and adds a parameter encodeParameters=true.
PI52604: OPENID CONNECT SSO WITH ACTIVE DIRECTORY FAILS WITH 403 FORBIDDEN
http://www-01.ibm.com/support/docview.wss?uid=swg1PI52604
Question: Is there a similar fix for WAS-Liberty (17.0.0.1) that adds the parameter encodeParameters=true?
There's no equivalent property in Liberty at present. If you're in a position to open a PMR with IBM, that would be the best way to get this addressed.
Related
I am trying to call the rest service for getting idToken from Azure B2C application using following URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token?p={POLICY}
I am passing all the required parameters in the payload :
grant_type=authorization_code&client_id={ClientID}&scope=https://{tenant}.onmicrosoft.com/api/read openid offline_access&code={AUTH_CODE}&redirect_uri={REDIRECT_URI}&client_secret={CLIENT_KEY}
The same approach is working on one environment but returns
404 : The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
when accessing from another environment.
What am I missing here? Any Azure configuration that I need to check?
Your request looks good. So the key point of this issue should not be in B2C side.
This error generally means that the file you are looking is not present on the server or web.config file is not configured properly.
As the approach is working on one environment but failing for another, you should check the web.config file which is in the failing environment to see if it is configured correctly.
See a similar question here.
I have a bot hosted in Azure which uses AADv2 authentication. The authentication was working perfectly until today, when it is throwing an error ("The resource you are looking for has been removed, had its name changed, or is temporarily unavailable") although I didn't change anything in the bot code or configuration.
I believe it is related with Azure rather than the bot's code since I test the connection from Azure Oauth Settings and it gives me the same error page:
"The resource you are looking for has been removed, had its name changed, or is temporarily unavailable".
This is where I test my connection:
I followed the instructions given by Microsoft to implement AADv2 in a bot:
Registered an app in apps.dev.microsoft as a Web Platform with redirect URL: https://token.botframework.com/.auth/web/redirect
Added OAuth Connection Setting to my bot
I believe it is not relevant, but just in case: the bot is developed with NodeJS using the BotFrameworkv4.
Everything seems to work fine now.
We didn't change anything in the code before or after the error and the authentication is back to normal again. I suppose it was an AAD internal error.
Microsoft answered the issue opened by #thomasmartinsen above, apparently there was a faulty service instance causing this problem, it is now repaired.
I am trying to authenticate my Azure Web App. Follow this doc
In my Azure Portal, I've selected "Authenticate / Authorization" for my Web App.
After I configure my Microsoft Account Authentication Settings with Client ID/Key from the App Registration page, I save the settings page and I'll see an error:
The errors says:
Failed to save Auth Settings for WebApp App:
{"Code":"Conflict","Message":"Cannot update the site 'WebApp' because
Authentication / Authorization was configured with an invalid issuer
URL ''. The URL must be well-formed, absolute, and use the HTTPS
scheme.","Target":null,"Details":[{"Message":"Cannot update the site
'WebApp' because Authentication / Authorization was configured with an
invalid issuer URL ''. The URL must be well-formed, absolute, and use
the HTTPS
scheme."},{"Code":"Conflict"},{"ErrorEntity":{"ExtendedCode":"04530","MessageTemplate":"Cannot
update the site '{0}' because Authentication / Authorization was
configured with an invalid issuer URL '{1}'. The URL must be
well-formed, absolute, and use the HTTPS
scheme.","Parameters":["WebApp",""],"Code":"Conflict","Message":"Cannot
update the site 'WebApp' because Authentication / Authorization was
configured with an invalid issuer URL ''. The URL must be well-formed,
absolute, and use the HTTPS scheme."}}],"Innererror":null}
I'm not sure what's the "invalid issuer URL" the issue is referring to.
This issue is not a general issue. This article is absolutely correct.
So I suggest you try to use another location to deploy your Web App and configure the Applicaiton again.
Also, this issue should be temporary, I have reported this.
Hope this helps!
I'm on the App Service team. This is a known issue which we are working to address - the behavior should be temporary. Our apologies for any issues this has caused.
I do not recommend the solution of moving to another region, as this is not guaranteed to work, and sites that do see resolution in this way may break again.
Please find our recommended workaround instructions in my response to this forum post.
For me it worked to add AAD as an auth provider with the default setting even though I'm not using it. I was then able to save my Facebook auth settings. This is a temporary workaround.
This answer from this discussion. Edit field "issuer" not working for me.
I am configuring Liferay with Open AM using Active Directory as the LDAP Server.
The problem I am facing is if i configure OpenAM to authenticate using AD I get the following error in Liferay -
07:52:17,962 DEBUG [http-bio-8080-exec-15][OpenSSOUtil:146] Attributes response code 500
07:52:17,962 DEBUG [http-bio-8080-exec-15][OpenSSOAutoLogin:132] Validating user information for null null with screen name null and email address null
07:52:17,962 ERROR [http-bio-8080-exec-15][AutoLoginFilter:261] Current URL /web/guest/home?p_p_state=maximized&p_p_mode=view&saveLastPath=false&_58_struts_action=%2Flogin%2Flogin&p_p_id=58&p_p_lifecycle=0&_58_redirect=%2Fc generates exception: com.liferay.portal.security.auth.AutoLoginException: java.lang.Exception: Email address is null
On OpenAM side there is no error.
The steps I followed are -
Configure AD in Liferay and enable it
Configure SSO in Liferay through portal-ext file
Enabled pass through authentication in OpenAM.
I dont see any errors in OpenAM logs.
The only issue I see is in Liferay logs.
The following works -
Liferay + AD
Liferay + OpenAM using OpenDJ
Let me know if anyone knows what can be done to fix the issue.
The error you show seam to indicate that the mappping between your openAM server data and the liferay one isn't correct. Look at the properties "open.sso.screen.name.attr" and similar from your portal.
Also keep in mind that you need to activate the ldap sync on your liferay server so the User are created and Liferay can match it with openAM data.
I have scenario where we use Thinktecture Identity Server (IdSrv) as both an R-STS and a IP-STS, as well as a O365 / WAAD tentant as an additional IP-STS. The user choose which Identity Provider to use via the Home Realm Discovery functionality in IdSrv.
Now, implementing a unified WS-Federation wsignout from the RP, is difficult, since I can't get the signout process to work properly against WAAD (Against the Thinktecture IP-STS it works fine);
Sorry, but we're having trouble signing you out.
We received a bad sign-out request.
If you wish to sign-out, please click the following link.
ACS20028: The requested redirection URL is invalid.
Well, the wreply URL parameter points to the RP, which the WAAD instance has no knowledge of.
If I try to follow the Sign-Out link, I get
Sorry, but we're having trouble signing you out.
We received a bad request.
ACS20026: The wtrealm parameter is missing or incorrect.
I've tried to modify the URL directly so that its wreply points to the IdSrv (which really is an RP of the WAAD), but I can't get it to work.
Has anyone gotten this to work?