SiteMinder Access Gateway, Invalid or Expired OIDC Authentication Code

book

Article ID: 197988

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a CA Access Gateway (SPS) in OIDC journey and when user
tries to authenticate, then the Policy Server receives error :

  {"error":"invalid_grant","error_description":"Authorization code expired."}

The code value seems to be correctly sent to the /token endpoint.

How can we solve this ?

 

Cause

 

We see that the error appears when reaching myoidcendpoint.mydomainep.com :

  00:00:09.704    0.069 1063 1960 GET  Redirect to https://mysps.mydomainsps.com:9443/affwebservices/CASSO/oidc/myEndPoint/authorize?SMASSERTIONREF=QUERY&scope=openid+profile&state=FKSKKDssdasdaSesS_0YyTuNgn5O2lGDk96r9oQNCdbCw.ra-vwRtsFFs.account&response_type=code&client_id=myendpointID&redirect_uri=http%3A%2F%2Fmyoidcendpoint.mydomainep.com%3A8080%2Fauth%2Frealms%2Fbroker%2FmyendpointName%2Fendpoint&nonce=SDF44dasdsd-sAs_Dwss_dsds https://mysps.mydomainsps.com:9443/affwebservices/secure/secureredirect?scope=openid+profile&state=FKSKKDssdasdaSesS_0YyTuNgn5O2lGDk96r9oQNCdbCw.ra-vwRtsFFs.account&response_type=code&client_id=myendpointID&redirect_uri=http%3A%2F%2Fmyoidcendpoint.mydomainep.com%3A8080%2Fauth%2Frealms%2Fbroker%2FmyendpointName%2Fendpoint&nonce=SDF44dasdsd-sAs_Dwss_dsds&SMPORTALURL=dss4df4asd41w55asd212dsa%2B9FtuLvWnZpLQRDkMvChhVT7Fd1VR8w8y1g9NsObGb2MkovLwX0mS7YsgqR8sfAYPmUuGzHIFF1R1wPm4bkTUdy%2FW4NRTqM3tSicOCVP2uinl6pcKVmi%2FOTlUFKswKBrtvMsY9%2FFx
  00:00:09.836    0.047 2043 519 GET  Redirect to http://myoidcendpoint.mydomainep.com:8080/auth/realms/broker/myendpointName/endpoint?nonce=SDF44dasdsd-sAs_Dwss_dsds&code=DsFGSfDSasasdasdsDS1adsd000sdYmQ3LTgzYjEtMDA3ZmZmMWYxNDFkLXN3ekkyYyt6NGJKd1NXZWVsTVpTdi9OTW1LMD0%3D&state=FKSKKDssdasdaSesS_0YyTuNgn5O2lGDk96r9oQNCdbCw.ra-vwRtsFFs.account https://mysps.mydomainsps.com:9443/affwebservices/CASSO/oidc/myEndPoint/authorize?SMASSERTIONREF=QUERY&scope=openid+profile&state=FKSKKDssdasdaSesS_0YyTuNgn5O2lGDk96r9oQNCdbCw.ra-vwRtsFFs.account&response_type=code&client_id=myendpointID&redirect_uri=http%3A%2F%2Fmyoidcendpoint.mydomainep.com%3A8080%2Fauth%2Frealms%2Fbroker%2FmyendpointName%2Fendpoint&nonce=SDF44dasdsd-sAs_Dwss_dsds
  00:00:09.920  1  0.301 2760 2092 GET  html http://myoidcendpoint.mydomainep.com:8080/auth/realms/broker/myendpointName/endpoint?nonce=SDF44dasdsd-sAs_Dwss_dsds&code=DsFGSfDSasasdasdsDS1adsd000sdYmQ3LTgzYjEtMDA3ZmZmMWYxNDFkLXN3ekkyYyt6NGJKd1NXZWVsTVpTdi9OTW1LMD0%3D&state=FKSKKDssdasdaSesS_0YyTuNgn5O2lGDk96r9oQNCdbCw.ra-vwRtsFFs.account

FWSTrace.log

  [08/14/2020][08:42:56][1340][3988][19366fc9-99b03f11-24564b8c-a8b7c854-41374e23-11a]
  [TokenService.java][doValidateAccessTokenRequestAndSetContext]
  [redirect_uri=myoidcendpoint.mydomainep.com:8080/auth/realms/broker/myendpointName/endpoint]

  [08/14/2020][08:42:56][1340][3988][19366fc9-99b03f11-24564b8c-a8b7c854-41374e23-11a]
  [OpenIDConnectServiceBase.java][sendJSONErrorResponse][ Sending error JSON message: 
  {"error":"invalid_grant","error_description":"Authorization code expired."} with error code:400]

And the Policy Server reports error about the expiring time set first
to the az_code and the current time on the machine :

smtracedefault.log

  [08/14/2020][08:42:56.248][08:42:56][2680][4592][SmSSProvider.cpp:454][CSmSSProvider
  ::GenerateSessionId][][][][][][][][][][][][][DASDsdasdsdasdDSSds444dsads=][][][][][]
  [][][Leave function CSmSSProvider::GenerateSessionId][][][][][][][][][][][][][][][][
  ][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

  [08/14/2020][08:42:56.404][08:42:56][2680][4572][LdapStore.cpp:1558][QueryObject][][
  ][][][][][][][][][][][][][][][][][][][Querying for object 
  'smSessionId=DASDsdasdsdasdDSSds444dsads=,o=DSA_DevSStore,c=FI', (filter:" <n/a> ")]
  [][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][]

  [08/14/2020][08:42:56.404][08:42:56][2680][4572][SmDsLdapProvider.cpp:2365]
  [CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][]
  [(Search) Retrieving attributes for: 'cn=jsmith,dc=training,dc=com', 
  Filter: 'objectclass=* '. Status: 1 matching objects.][]
  [Ldap Search callout succeeds.][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [08/14/2020][08:42:56.404][08:42:56][2680][4572][Sm_Auth_Message.cpp:5405][CSm_Auth_
  Message::FormatAttribute][s6568/r524][myODIC-IDP][][myname][]
  [myOIDCAZ][myODIC-IDP][myUserStore][][][][][][]
  [][][][][][DASDsdasdsdasdDSSds444dsads=]
  [Send response attribute 205, data size is 28][][][][]
  [][][][Anonymous Template][][][][][][]
  [cn=jsmith,dc=training.dc=com][]
  [06-ds85gf5dsfds-fdsf121fdsf-fd44fd-df45fd][][][][][][][][][][][Login][4c 50 
  54 76 43 41 72 7a 41 56 36 67 48 73 6c 67 68 66 52 68 4c 78 44 2b 4e 67 73 3d ][][][
  ][][][][][][]

  [08/14/2020][08:42:56.419][08:42:56][2680][4600][AuthorizationResponseGenerator.java
  ][getConfig][dsadsd4d4s-dsaddsad-dsagfd-asdsde-524fd-fdsadfas-fd22][][][][][][][][][][][]
  [][][][][][][][][ before return, map:: {SMASSERTIONREF=QUERY, 
  USER_DIR_OID=0e-fsada545g-dsdasd-fd41f-fd5445e-fd44, scope=openid profile, 
  USER_AUTHENTICATION_TIME=1597383776, 
  response_type=code, 
  state=FKSKKDssdasdaSesS_0YyTuNgn5O2lGDk96r9oQNCdbCw.ra-vwRtsFFs.account, 
  redirect_uri=http://myoidcendpoint.mydomainep.com:8080/auth/realms/Testing-Realm/broker/keycloak-oidc/endpoint, 
  authenticationURL=https://myoidcendpoint.mydomainep.com:9443/affwebservices/CASSO/oidc/myEndPoint/authorize, 
  Oid=null, nonce=SDF44dasdsd-sAs_Dwss_dsds, client_id=myendpointID}][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [08/14/2020][08:42:56.419][08:42:56][2680][4600][AuthorizationResponseGenerator.java]
  [persistDataForAccessTokenEndPoint][dsadsd4d4s-dsaddsad-dsagfd-asdsde-524fd-fdsadfas-fd22]
  [][][][][][][][][][][][][][][][][][][][azCodeExpiry (in seconds) 300][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [08/14/2020][08:42:56.419][08:42:56][2680][4600][OIDCSessionManager.java]
  [updateDataForAzCode][dsadsd4d4s-dsaddsad-dsagfd-asdsde-524fd-fdsadfas-fd22][][][][][][]
  [][][][][][][][][][][][][][ Create new session store entry for az_code ][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [08/14/2020][08:42:56.419][08:42:56][2680][4600][OIDCSessionManager.java][updateDataForAzCode]
  [dsadsd4d4s-dsaddsad-dsagfd-asdsde-524fd-fdsadfas-fd22][][][][][][][][][][][][][][][][][]
  [][][InternalData that is used to generate JSON before encryption:: 
  OpenID ConnectInternalData 
  [azCode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXMD0=, 
  clientId=myendpointID, userId=cn=jsmith,dc=training.dc=com, 
  redirectURI=http://myoidcendpoint.mydomainep.com:8080/auth/realms/broker/myendpointName/endpoint, 
  scope=openid profile, authTime=1597383776, 
  userDirectoryOID=0e-dsad-fdfdsdfsaf-fdsfdfs-fdsfd
  isRevoked=false, nonce=SDF44dasdsd-sAs_Dwss_dsds, refreshTokenIssuedTime=0, 
  tokenIssuedTime=0]][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][]

  1597383776 : Fri, 14 Aug 2020 05:42:56 GMT

  [08/14/2020][08:42:56.560][08:42:56][2680][4584][CServer.cpp:6557][CServer::Tunnel]
  [19366fc9-99b03f11-24564b8c-a8b7c854-41374e23-11a]
  [][][][][][][][][][][][][][87.254.212.157][][][]
  [Lib='smjavaapi', Func='JavaTunnelService', 
  Params='com.ca.federation.openidconnect.tunnel.AccessTokenTunnelService', 
  Server='', Device=''][][Resolved all the input parameters][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][]

  [08/14/2020][08:42:56.560][08:42:56][2680][4584][AccessTokenTunnelService.java]
  [tunnel][][][][][][][][][][][][][][][][][][][][]
  [OpenIDConnectAccessTokenRequestData: AccessTokenRequest 
  [authorizationCode=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXMD0=, 
  authorizationHeader=null, clientID=myendpoint, grantType=authorization_code, 
  redirectURI=http://mysps.mydomainsps.com:8080/auth/realms/broker/myendpointName/endpoint, 
  codeVerifier=null, commonData=requestId: 554s1da-52ds2ad1-dsf4411s-s4d1s-12a, 
  serviceVersion: 0, serviceMinimumVersion: 0, fedApiVersion: 1]][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [08/14/2020][08:42:56.560][08:42:56][2680][4584][AccessTokenTunnelService.java]
  [tunnel][][][][][][][][][][][][][][][][][][][][]
  [CodeExpiry retrieved from SessionStore: 1597383694][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][]

  1597383694 : Fri, 14 Aug 2020 05:41:34 GMT

  [08/14/2020][08:42:56.560][08:42:56][2680][4584][AccessTokenTunnelService.java]
  [tunnel][][][][][][][][][][][][][][][][][][][][]
  [ Check for az_code expiry with current time][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][]

  [08/14/2020][08:42:56.560][08:42:56][2680][4584][AccessTokenTunnelService.java]
  [returnErrorResponse][][][][][][][][][][][][][][][][][][][][][CODE_EXPIRED][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [08/14/2020][08:42:56.560][08:42:56][2680][4584][AccessTokenTunnelService.java]
  [prepareErrorResponse][][][][][][][][][][][][][][][][][][][][]
  [Preparing error response with errorcode: INVALID_GRANT, 
  errorMessage:CODE_EXPIRED][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][]

Environment

 

  CA Access Gateway (SPS) 12.8SP3 on Windows 2012R2;
  Policy Server 12.8SP3 on RedHat 7;

 

Resolution

 

Increase the authorization code validity period which resolved the
problem. 

In the OIDC provider configuration, you can configure :

  "Authorization Code Expiry Time"

which is by default 1 minute.

Insure time services on all machines are working as expected.