7021386: NetIQ Access manager NIDP server returns: “invalid_code: code invalid or already used” on OAuth Access Token request

This document (7021386) is provided subject to the disclaimer at the end of this document.

Environment

  • Access Manager 4.3.2

Situation

  • Requesting an OAuth Access Token (Authorization Code Grant Flow)
  • NIDP server returns the error:

    { "error":"invalid_code", "error_description":"invalid_code: code invalid or already used"
  • The problem only shows up in a clustered environment and works fine with a single NIDP server node
  • The OAuth web client does not make use of any NAM Session cookie like the JSESSIONID cookie for the NIDP server

Resolution

  • The issue has been addressed to engineering
  • a fix has been added to NAM 4.4 to address this issue
  • a fix will be added to NAM 4.3.3

Cause

Since SP2 an issued Authorization code can only be used once. The problem comes up in a clustered environment in case the NIDP cluster node who authenticated the user and issued the Authorization Token goes down and the OAuth client has been switched to another cluster node for running the Access Token Request.

Additional Information

Troubleshooting:

Enable OAuth debug logging:


  • enable the following NIDP cluster logging options:

    Enable File Logging

    Echo To Console,

    Component File logger Levels:

    “Application:” + “OAuth & OpenID Connect:” = debug”

  • edit the NDIP server logging config file: vi /opt/novell/nids/lib/webapp/WEB-INF/classes/log4j.properties and apply the following settings:

==========================================================

# Set root logger priority to FATAL and its only appender to CONSOLE.

#log4j.rootCategory=FATAL, CONSOLE

log4j.rootCategory=DEBUG, CONSOLE

# CONSOLE is set to be a ConsoleAppender using a PatternLayout.

log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender

#log4j.appender.CONSOLE.Threshold=FATAL

log4j.appender.CONSOLE.Threshold=DEBUG

log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout

log4j.appender.CONSOLE.layout.ConversionPattern=- %m%n

#

# added for OAuth debugging

log4j.logger.org.brickred.socialauth=DEBUG

log4j.logger.org.brickred.socialauth.provider=DEBUG

==========================================================

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply