A working OIDC setup suddenly stops working over the weekend.

On the client side error:

##.##.##.##(IP) - - [12/Apr/2021:08:35:03 -0400] "GET /my_oidc_login_page?error=server_error&error_description=Internal+Server+Error.&state=#### HTTP/1.1" 500 1273

On the Siteminder OIDC Provider side FWStrace.log:

[04/12/2021][16:25:44][48732][140647940888320][<TransactionID>][AuthorizationService.java][processAuthorization][resource is: /&response_type=code&scope=openid&client_id=####&state=####&redirect_uri=https%3A%2F%2<Server  Name>%2Fmy_oidc_login_page&nonce=####&authenticationURL=https://<IDP Server Name>/affwebservices/CASSO/oidc/authorize&Oid=null]

[04/12/2021][16:25:44][48732][140647940888320][<TransactionID>][AuthorizationService.java][processAuthorization][resolved variable list is: <RVARS><Var name="USER_DIR_OID" rtype="3"><![CDATA[########]]></Var><Var name="SessionToken" rtype="3"><![CDATA[####....

[...omitted for brevity...]

[04/12/2021][16:25:44][48732][140647940888320][<TransactionID>][AuthorizationService.java][processAuthorization][Calling authorizeEx to invoke autorization code generator.]
[04/12/2021][16:25:44][48732][140647940888320][<TransactionID>][AuthorizationService.java][processAuthorization][Transient IP check: false]
[04/12/2021][16:25:44][48732][140647940888320][<TransactionID>][AuthorizationService.java][processAuthorization][Result of authorizeEx call is: 1.]
[04/12/2021][16:25:44][48732][140647940888320][<TransactionID>][AuthorizationService.java][processAuthorization][Transaction with ID: <TransactionID> failed. Reason: FAILED_NO_ATTR_RETURNED]
[04/12/2021][16:25:44][48732][140647940888320][<TransactionID>][AuthorizationService.java][processAuthorization][Denying request due to no attribute returned from authorization code generator.]
[04/12/2021][16:25:44][48732][140647940888320][<TransactionID>][OpenIDConnectServiceBase.java][sendErrorResponse][ Sending error response: 
ErrorResponse [error=server_error, error_description=Error interno del servidor., error_uri=null]  to:https://<Server Name>/my_oidc_login_page]

[...omitted for brevity...]

[04/12/2021][16:25:48][48732][140647942993664][][OIDCRequestController.java][resolveAndForward][Resolving service to forward, for URI: /affwebservices/CASSO/oidc/client_name/authorize]
[04/12/2021][16:25:48][48732][140647942993664][][OIDCRequestController.java][resolveAndForward][Forwarding to URI: /CASSO/oidc/authorize]

 

Policy server 12.8SP2 on RedHat 7;
CA Access Gateway (SPS) 12.8SP2 on RedHat 7;

As running version 12.8SP2, where OIDC uses endpoint with client_name in it.

e.g.

https://<IDP Server Name>/affwebservices/CASSO/oidc/client_name/authorize?

However, after the user is authenticated, the user is redirected via /affwebservices/secure/secureredirect to a default TARGET, instead of the original authorized TARGET endpoint.

It was redirected back to

https://<IDP Server Name>/affwebservices/CASSO/oidc/authorize

which should be original

https://<IDP Server Name>/affwebservices/CASSO/oidc/client_name/authorize

This observation can be confirmed from both FWStrace.log and browser trace logs. This may or may not be an issue depending on the version of the Policy Server.

Release note for end point changes between 12.8SP2 and SP3 onwards (1).

The main fact is that CA Access Gateway (SPS) calls Policy Server to get an authorization code, but it got denied, so something is wrong on the Policy Server side, unfortunately, no logs were provided from the production Policy Server.

The true cause is that Session Stores are down. Hence, recycling CA Access Gateway (SPS) and Policy Server has not helped much.

Once the Session Stores go back online, which is a needed component for OIDC authentication, everything works again.

(1)

    Changes to Existing Features in 12.8.02