This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

oidc using forgerock failing in the call back

Posted on 02-03-2022 05:00 AM
raghubtechit
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We are trying to do a poc with Apigee acting as Identity facade for authentication & authorization using ForgeRock as IDP. Our initial authorize call  seems to be working fine & 302 redirect to forgeRock login page for user credentials is also successful. But once the ForgeRock does the callback, we see a failure in the OAuthv2-GenerateAuthCode call saying "invalid request".

Regarding creating an OAuth / OpenID Connect proxy for Forgerock, we are leveraging an example provided by Kurt & updated our internal ForgeRock IDP values.

See: https://github.com/kurtkanaskie/oidc-v1-google-demo

 

Error response:

{
"fault": {
"faultstring": "invalid_request",
"detail": {
"errorcode": "invalid_request"
}
}
}

 

Debug Error:

{
"name": "error.cause",
"value": "Redirection URI is required"
},
{
"name": "error.class",
"value": "com.apigee.oauth.v2.TokenGenerationException"
},
{
"name": "state",
"value": "PROXY_REQ_FLOW"
},
{
"name": "type",
"value": "ErrorPoint"
},
{
"name": "error",
"value": "invalid_request"
},
{
"name": "Identifier",
"value": "fault"
}
]
},

Are we missing any config in the flow like setting ClientApp URL for the redirect of authorization code? If yes, where do we set it?

0 6 566
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

"Redirection URI is required" is a hint. 

It looks like the callback does not include the redirect_uri parameter.  Apigee is insisting that it does include that parameter.

You didn't show the effective callback URL -- what you get at runtime. Maybe check that. 

0 Likes

Posted on --/--/---- --:-- AM
raghubtechit
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dino - Below is the callback uri that is available in the runtime. Not sure if apigee looks for a specific query parameter named redirect_uri in the callback? 

 

/oidc-google/v1/oauth/callback?code=wh23235553456546F5eAFu60YeNpgI&iss=https%3A%2F%2Fsecureqat.tope.net%3A443%2Fsso%2Foauth2%2Frealms%2Froot%2Frealms%2Fmain&state=code%20dd457673-69a7-46ce-8624-2ec74f345340b95&client_id=apigee-soc

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to raghubtechit
Reply posted on --/--/---- --:-- AM

Yes, I believe redirect_uri is the thing that is missing. 

For some reason the forgerock system is not providing that.  The original OAuth spec says that the redirect_uri parameter is required in the callback URL if multiple redirect URIs are registered for the app. (cite)

screenshot-20220203-091043.png

The spec does not say that the redirect_uri is required in all cases. The Apigee policy is more strict than the specification, and is rejecting the callback because it is missing the redirect_uri parameter.  But you may be able to work around that problem. 

This is what the Apigee doc says: 

screenshot-20220203-091355.png

So if you use redirect_uri in the original /authorize request, then the callback also needs to include redirect_uri.  

The workarounds might be: 

  • specify more than one redirect URI in the configuration of the app in ForgeRock. This may induce ForgeRock to include the redirect_uri in the callback
  • Omit the redirect_uri from the /authorize (kickoff) call. 
  • specify the redirect_uri in the /token call, in the same way you specify it in the call to /authorize

Give that a try?

 

0 Likes

Posted on --/--/---- --:-- AM
raghubtechit
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dino - We got the /authorize & /token calls working in flow for oidc 3 legged flow with forgeRock. When we do a refresh token , we are failing with below error in apigeex before hitting the forgeRock for the externalRefershtoken call.

reference api proxy provided by Kurthttps://github.com/kurtkanaskie/oidc-v1-google-demo

{
    "fault": {
        "faultstring""Invalid API call as no apiproduct match found",
        "detail": {
            "errorcode""keymanagement.service.InvalidAPICallAsNoApiProductMatchFound"
        }
    }
}
 
we are passing the refresh_token, client_Id & grant_type as "refresh_token" in the formparms. Are we missing anything in terms of configuration in the apiproxy?
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to raghubtechit
Reply posted on --/--/---- --:-- AM

I think that proxy needs to be included into an API Product. I don't know what the proxy is doing, but there are some things, some policies, that if included in a proxy, imply that the proxy needs to be within an API product.

0 Likes

Posted on --/--/---- --:-- AM
raghubtechit
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dino - created a support ticket on it. We are using the same path & http method for access token & refresh token but just different grant_type. access token works but refresh token call fails with error "Invalid API call as no apiproduct match found". If we completely remove the operations from the api product then even the refresh token call works so we are temporarily testing without any operations mentioned in api product.

Also for the single page applications, do we have any standard logout & revoke token process. Our ForgeRock team needs to provide a post_logout_redirect_uri in their config & the same needs to be passed by client app/apigee in the revoke/endSession call. In case of single page application, does apigee has any default logout page that we could provide as part of logout redirect for the client? 

0 Likes
Top Solution Authors
View all