Question
Standard Chartered Bank
IN
Last activity: 16 Jun 2023 6:02 EDT
OIDC Connect - Access token endpoint invocation failed - Passing mTLS cert jks keystore for access token call
Trying to implement openID connect authentication service. Getting following error.
Unable to execute OIDC flow : Access token endpoint invocation failed : {ErrorMessage=Response status : 400 Bad Request, statuscode=400} Identity provider except the access token call with the following details. Cert details along with others.
POST Request: "X-Cert:xxx=" --data "client_id= AppClientid " –data grant_type=authorization_code&code=AuthCodeGotIn1stCall&redirect_uri= https://sampleapp:321/prweb/PRAuth " https://sampleapp:321/prweb/PRAuth/sso/access_token
Pega application & Identity provider service agreement mutually identified with use of pega application TLS certificate passing along with the access token call. There is no clientid and client secret provided by identity provider.
Pega application mTLS cert file with .crt shared to identify provider. The same converted as jks keystore and pointed under secure portal configuration in advance configuration in openID authentication service.
Logs: StateParam Validation is successful
Fetching access token using authCode received
Exception is thrown for OIDC flow com.pega.pegarules.pub.PRRuntimeException: Access token endpoint invocation failed : {ErrorMessage=Response status : 400 Bad Request, statuscode=400}
Any thoughts on this?
Standard Chartered Bank
IN
Hi,
Identity provider expect TLS certificate in the authorization header with the following tag.
"X-Cert: xxzxzxzxdfssdfsdff="
But inbuilt paga it is not supported. It sends in different tag name.
Looks this is making trouble to hit the right service endpoint url and getting bad request 400 error.
Is there any option in pega to customize the authorization header name in the open id authentication service?
Please help on this issue if anybody come across same problem or suggest any work around for this.
Hi,
Identity provider expect TLS certificate in the authorization header with the following tag.
"X-Cert: xxzxzxzxdfssdfsdff="
But inbuilt paga it is not supported. It sends in different tag name.
Looks this is making trouble to hit the right service endpoint url and getting bad request 400 error.
Is there any option in pega to customize the authorization header name in the open id authentication service?
Please help on this issue if anybody come across same problem or suggest any work around for this.
Logs: StateParam Validation is successful Fetching access token using authCode received HTTP request method=POST, url=https://xxxxxxx If there were multiple values for header Content-Type, only expected one. Using the last value in the list. Adding header "Content-Type" to configured value "application/x-www-form-urlencoded" HTTP request headers: Content-Type: application/x-www-form-urlencoded Setting enabled protocols for Secure Socket to: [TLSv1.2] Socket's enabled cipher suites are: [xxx] Peer certificate chain: Server certificate chain trusted is trusted by TrustManager: com.pega.pegarules.integration.engine.internal.ssl.SSLUtils$TrustAllTrustManager http-outgoing-56 >> "POST /openam/oauth2/realms/root/realms/sso/access_token HTTP/1.1[\r][\n]" http-outgoing-56 >> "Content-Type: application/x-www-form-urlencoded[\r][\n]" http-outgoing-56 >> "Content-Length: 2751[\r][\n]" http-outgoing-56 >> "Host: xxxxxxxxxxx[\r][\n]" http-outgoing-56 >> "Connection: Keep-Alive[\r][\n]" http-outgoing-56 >> "User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_131)[\r][\n]" http-outgoing-56 >> "Accept-Encoding: gzip,deflate[\r][\n]" http-outgoing-56 >> "[\r][\n]" http-outgoing-56 >> "client_id=xxzx&client_secret=xzxz&grant_type=authorization_code&code=xzxz&redirect_uri=cxcxc http-outgoing-56 << "HTTP/1.1 400 Bad Request[\r][\n]" http-outgoing-56 << "Accept-Ranges: bytes[\r][\n]" http-outgoing-56 << "Cache-Control: no-store[\r][\n]" http-outgoing-56 << "Content-Encoding: gzip[\r][\n]" http-outgoing-56 << "Content-Type: application/json[\r][\n]"