OIDC Invalid Request: Access token is not found in either form parameter or Authorization Header of the request
search cancel

OIDC Invalid Request: Access token is not found in either form parameter or Authorization Header of the request

book

Article ID: 281290

calendar_today

Updated On:

Products

SITEMINDER CA BCS Premier for CA Single Sign-On CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Intermittent error is observed from Access Gateway log:

[33938/140372183275264][Wed MM DD YYYY 16:11:10.764][OpenIDConnectServiceBase.java][ERROR][sm-FedClient-03802] Invalid Request. {"error":"invalid_request","error_description":"Client credentials are invalid."}
[33938/140372180117248][Wed MM DD YYYY 16:11:37.116][FWSBase.java][ERROR][sm-FedClient-03500] "Input is invalid." ()
[33938/140372186433280][Wed MM DD YYYY 16:11:37.490][OpenIDConnectServiceBase.java][ERROR][sm-FedClient-03802] Invalid Request. {"error":"invalid_request","error_description":"Access token is not found in either form parameter or Authorization Header of the request."}
[33938/140372178011904][Wed MM DD YYYY 16:13:22.080][FWSBase.java][ERROR][sm-FedClient-03500] "Input is invalid." ()
[33938/140372179064576][Wed MM DD YYYY 16:13:22.452][OpenIDConnectServiceBase.java][ERROR][sm-FedClient-03802] Invalid Request. {"error":"invalid_request","error_description":"Client credentials are invalid."}

Environment

OS: Red Hat Enterprise Linux Server release 8.9
CA Access Gateway server version : 12.8 SP6

Cause

The error occurs when end point /affwebservices/CASSO/oidc/sample_client/userinfo is invoked.

The following is the token request format for a Confidential client application that uses Basic authentication type

POST<token_endpoint_url>
HTTP/1.1 Host:<hostname>
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64 encoded(client_id and client_secret)
 
e.g.
 
GET /affwebservices/CASSO/oidc/sample_client/userinfo
HTTP/1.1
Host: wa.example.com
Authorization: Bearer eyJhbGc......
 
When Authorization header is missing, Policy server side smtracedefault.log show error below.
 
[mm/dd/yyyy][13:26:37.646][13:26:37][1038198][139847540922112][AccessTokenTunnelService.java][tunnel][][][][][][][][][][][][][][][][][][][][][ Is isConfidentialClient?: true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][13:26:37.646][13:26:37][1038198][139847540922112][BaseAccessTokenTunnel.java][isInValidClient][][][][][][][][][][][][][][][][][][][][][ Client Type is Confidential, do Client authentication based on configuration, method: CLIENT_SECRET_BASIC][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][13:26:37.647][13:26:37][1038198][139847540922112][BaseAccessTokenTunnel.java][isInValidClient][][][][][][][][][][][][][][][][][][][][][ validate client_secret_basic credentials ][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][13:26:37.647][13:26:37][1038198][139847540922112][BaseAccessTokenTunnel.java][isInValidClient][][][][][][][][][][][][][][][][][][][][][Authorization header is missing][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][13:26:37.647][13:26:37][1038198][139847540922112][AccessTokenTunnelService.java][tunnel][][][][][][][][][][][][][][][][][][][][][ Is client invalid?: INVALID_REQUEST][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][13:26:37.647][13:26:37][1038198][139847540922112][AccessTokenTunnelService.java][returnErrorResponse][][][][][][][][][][][][][][][][][][][][][INVALID_CLIENT_CREDENTIALS][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[mm/dd/yyyy][13:26:37.647][13:26:37][1038198][139847540922112][AccessTokenTunnelService.java][prepareErrorResponse][][][][][][][][][][][][][][][][][][][][][Preparing error response with errorcode: INVALID_REQUEST, errorMessage:INVALID_CLIENT_CREDENTIALS][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
 
One may also see message "AccessTokenTunnel call failed" in FWSTrace.log before the error "Access token is not found in either form parameter or Authorization Header of the request.":
The "Access token is not found" is because policy server did not issue one. 
The reason policy server did not issue Access token is due to "Client credentials are invalid."
 
FWSTrace.log
 
[mm/dd/yyyy][22:16:38][33938][140372180117248][8173bxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-768][OpenIDConnectTunnelClient.java][callOpenIDConnectAccessTokenRequest][Tunnel result code: 1.]
[mm/dd/yyyy][22:16:38][33938][140372180117248][8173bxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-768][OpenIDConnectTunnelClient.java][callOpenIDConnectAccessTokenRequest][OpenIDConnectAccessTokenRequest Status: 1, ]
[mm/dd/yyyy][22:16:38][33938][140372180117248][8173bxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-768][TokenService.java][processRequest][ AccessTokenTunnel call failed ]
[mm/dd/yyyy][22:16:38][33938][140372180117248][8173bxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-768][OpenIDConnectServiceBase.java][sendJSONErrorResponse][ Sending error JSON message: 
{"error":"invalid_request","error_description":"Client credentials are invalid."} 
 with error code:400]

Resolution

The product is working as designed.

Authorization header is where client_id and client_secret are being passed.

OIDC client MUST submit client_id and client_secret in its request, when missing, AccessToken is not issued by policy server. Then subsequent OIDC call will fail.

Additional Information

Powered by Wolken Software