You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
Error 'Client authentication failed' when using openid sample application, with an AM sub-realm and not using sub-realm's dns alias (or no sub-realm dns alias).
Create a sub-realm, subscribers. Define a dns alias for the realm, e.g. subscribers.amtest2.com
Create a test user account, e.g. testuser1. Can also do this using a separate data store if desired.
Configure common.js of openid to point to AM app context, to use a sub-realm of subscribers and relevant client_id and client_secret.
Using base url of site (top level realm url e.g. openam.amtest2.com) navigate to home page of openid (/openid), and select 'Try the Basic Client Profile'. Review the settings towards the bottom of the page.
From dashboard of subscribers realm, create an OpenID Connect Provider. Leave settings as default.
Create an application -> OAuth2 Client with client_id of e.g. testoauth, secret, redirection uri matching that in openid settings above.
Leave OAuth2 client settings for ID Token Signed Response Algorithm as default values (these do not have a bearing on this test).
Using openid application, click 'Start authorisation' at the bottom of the page. Login as testuser1. Click to allow authorization. See an error message containing the following information:
Repeat, but navigating to the openid application using the subscribers dns alias, e.g. subscribers.amtest2.com/openid. Repeat step 10. Now see a final page that indicates successful OAuth2 authorisation and details of received token are displayed.
Investigation
Looks as though the realm name is not passed through on the POST request, as a result AM attempts to find the OIDC client id (testoauth) in the top level realm, not the sub-realm, and fails.
The text was updated successfully, but these errors were encountered:
Description
Error 'Client authentication failed' when using openid sample application, with an AM sub-realm and not using sub-realm's dns alias (or no sub-realm dns alias).
Steps to reproduce:
Investigation
Looks as though the realm name is not passed through on the POST request, as a result AM attempts to find the OIDC client id (testoauth) in the top level realm, not the sub-realm, and fails.
The text was updated successfully, but these errors were encountered: