OAuth/OIDC Request Fails with "Request is not secure" Error in CA Access Gateway (SPS)
search cancel

OAuth/OIDC Request Fails with "Request is not secure" Error in CA Access Gateway (SPS)

book

Article ID: 440031

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On

Issue/Introduction

When implementing an OAuth or OIDC flow through CA Access Gateway (SPS), the authorization request fails. The spstrace.log or debug logs show the following error even if the URL appears to use the HTTPS protocol:

Log Snippet:

client Info: {redirectURI=[https://oidc.example.com/callback], ...}
response_type=code
redirectURI=https://oidc.example.com/callback
Request is not secure i.e, not HTTPS > Sending error response:
ErrorResponse [error=invalid_request, error_description=The request is not secure, error_uri=null]

Environment

Policy Server: All supported versions
Access Gateway: All supported versions
Feature: OAuth 2.0 / OpenID Connect (OIDC)

Cause

The OAuth 2.0 and OIDC specifications mandate the use of TLS (Transport Layer Security) for all communication between the client, the authorization server, and the resource server.

This error typically occurs when:

  1. The Access Gateway (SPS) is receiving the request over HTTP (Port 80) instead of HTTPS (Port 443).
  2. The request is being terminated as HTTP at a Load Balancer or Proxy before reaching the Access Gateway, and the Gateway is not configured to recognize the secure nature of the original request.

Resolution

To resolve this issue, ensure that the CA Access Gateway is properly configured to handle TLS/SSL. You must ensure the end-to-end communication is secure.

  1. Reference Industry Standards

    OAuth 2.0 requires TLS to protect sensitive tokens and credentials (1).

    RFC 6749 (Section 1.6): The OAuth 2.0 Authorization Framework - Documentation
    RFC 6750: Bearer Token Usage - Documentation (2).

  2. Configure Access Gateway for SSL/TLS

    Follow the official Broadcom documentation to enable and configure SSL on your Access Gateway instance:

    General Configuration: Access Gateway Configuration (3).
    Enabling SSL: Configuring SSL for Access Gateway (4).
    Manual Apache SSL Setup: Configuring SSL on Apache Web Server Manually (5).

Additional Information

  1. The OAuth 2.0 Authorization Framework

  2. The OAuth 2.0 Authorization Framework: Bearer Token Usage

  3. Access Gateway Configuration

  4. Configuring SSL for Access Gateway

  5. Configuring SSL on Apache Web Server Manually

Powered by Wolken Software