VCF Operations Login Failures: InvalidRedirectUrlException after linking workload domains
search cancel

VCF Operations Login Failures: InvalidRedirectUrlException after linking workload domains

book

Article ID: 438846

calendar_today

Updated On:

Products

VCF Operations VMware Cloud Foundation

Issue/Introduction

  • Users may encounter the following issues when attempting to access VCF Operations:

    Intermittent login failures when using VCF Single Sign-On (SSO).
    The web browser displays the error:
    "VCF Identity Broker encountered an issue during authentication. ...... contact your VCF Admin with the below details for resolution."
    Error code: oauth2.request.invalid.redirecturl

  • This issue typically emerges after linking a workload domain (WLD) and management vCenter Servers in environments using an embedded Identity Provider (IDB) Intermittent VCF Operations login failures with InvalidRedirectUrlException after linking We are randomly getting an error when trying to use vcf sso.

  • The accesscontrol-service.log on the management vCenter Server contains entries similar to:

    YYYY-MM-DDTHH:MM:SS INFO ####:accesscontrol ... redirect url : https://[HOSTNAME]/ui/vidbClient/vidb/, client id : ####, response type : code
    YYYY-MM-DDTHH:MM:SS WARN ####:accesscontrol ... AuthorizeRequestValidator - Authorize request : Redirect url is invalid : https://[HOSTNAME]/ui/vidbClient/vidb/
    YYYY-MM-DDTHH:MM:SS WARN ####:accesscontrol ... failed during authorize java.util.concurrent.CompletionException: com.vmware.vidm.accesscontrol.exceptions.oauth2.InvalidRedirectUrlException: oauth2.request.invalid.redirecturl

Environment

  • VCF 9.x
  • VCF Operations 9.x

Cause

Authentication failures occur when the OAuth2 redirect URL utilize the VCF Operations shortname instead of the required Fully Qualified Domain Name (FQDN). The VMware Identity Broker (VIDB) only authorizes redirect URIs that are explicitly registered during the initial SSO configuration. If the browser attempts to use a shortname, the security filter rejects the request because the URI does not match the registered FQDN

Resolution

To resolve this issue, ensure VCF Operations is accessed via its FQDN and update the System Access URL configuration.

  1. Log in to the VCF Operations UI as a local administrator.
  2. Navigate to Administration > Global Settings > System Settings.
  3. Locate the System Access URL field.
  4. Enter the complete FQDN with the HTTPS prefix (e.g., https://vops.example.com).
    Note: Ensure there is no trailing slash at the end of the URL.
  5. Click Save.
  6. Ensure all users access the UI using the authorized FQDN rather than an IP address or shortname
Powered by Wolken Software