How to solve HTTP/1.1 401 Unauthorized when try to get URI /ms_oauth/oauth2/ui/oauthservice/showconsent ? (Doc ID 2109494.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Goal

Customer have configured oauth application to work with OAM using default IAMSuiteAgent

- After customer reconfigure webgate to protect oauth service
following:
http://docs.oracle.com/cd/E52734_01/oam/AIAAG/oicconfigoauth.htm#AIAAG89815
53.5 Configuring a WebGate to Protect OAuth Services

oauth application fail with HTTP/1.1 401 Unauthorized when try to get URI /ms_oauth/oauth2/ui/oauthservice/showconsent

- Verifying http header trace we find OAMAuthnCookie_host:port successfully set.

- Verified authentication and authorization policies and looks ok.

Webgate logs show:

2016/02/12@12:07:03.63141 19463 19518 WEB DEBUG3 0x00000201 /ade/aime_ngamac_110154/ngamac/src/palantir/webgate2/src/ecid.cpp:63
 ecid^005At61EUWa4ykW_Px^Ayd0004jt0000Rh rid^0 "DMS ECID Information" ECID_WrappedString^1.005At61EUWa4ykW_Px%5eAyd0004jt0000Rh;k%5ejE ECID^005At61EUWa4ykW_Px%5eAyd0004jt0000Rh RID^0
 Function^OBWebGate_Err StartTime^2016/02/12@12:07:03.63139
 
 URI^/ms_oauth/oauth2/ui/oauthservice/showconsent
 
2016/02/12@12:07:03.63302 19463 19519 ACCESS_GATE TRACE 0x00000204 /ade/aime_ngamac_110154/ngamac/src/palantir/webgate2/src/web_gate.cpp:1953
 ecid^005At61J1Vv4ykW_Px^Ayd0004jt0000Ri rid^0 "Function exited" _TraceName^WebGate::StripObSSOCookie _TraceDuration^0.007468
 
2016/02/12@12:07:03.63474 19463 19518 WEB TRACE 0x00000203 /ade/aime_ngamac_110154/ngamac/src/palantir/webgate2/src/apache2entry_web_gate.cpp:940 ecid^005At61EUWa4ykW_Px^Ayd0004jt0000Rh rid^0
"Function entered" _TraceName^OBWebGate_Err _TraceAddress^0x7FCA71A36164
RequestReq^GET /ms_oauth/oauth2/ui/oauthservice/showconsent?response****************************************rect_uri=http%253A%252F%252F10.10.10.100%253A10805%252FRest_Web%252FCustomerInfo&scope=Customer.Info+UserProfile.me&state=abc&oracle_client_name=customerClient HTTP/1.1 RequestProto^HTTP/1.1 RequestHost^server123.company.com RequestStatLine^ RequestStatus^200

RequestRawUri^/ms_oauth/oauth2/ui/oauthservice/showconsent?response****************************************rect_uri=http%253A%252F%252F10.10.10.100%253A10805%252FRest_Web%252FCustomerInfo&scope=Customer.Info+UserProfile.me&state=abc&oracle_client_name=customerClient RequestUri^/ms_oauth/oauth2/ui/oauthservice/showconsent

RequestFilename^/ms_oauth/oauth2/ui/oauthservice/showconsent RequestPath^ RequestArgs^response****************************************rect_uri=http%253A%252F%252F10.10.10.100%253A10805%252FRest_Web%252FCustomerInfo&scope=Customer.Info+UserProfile.me&state=abc&oracle_client_name=customerClient

2016/02/12@12:07:03.63670 19463 19519 ACCESS_GATE TRACE 0x00000204 /ade/aime_ngamac_110154/ngamac/src/palantir/webgate2/src/web_gate.cpp:703 ecid^005At61J1Vv4ykW_Px^Ayd0004jt0000Ri rid^0 "Function exited" _TraceName^WebGate::ProcessRequest _TraceDuration^0.523926

2016/02/12@12:07:03.63849 19463 19518 WEB TRACE 0x00000203 /ade/aime_ngamac_110154/ngamac/src/palantir/webgate2/src/apache2entry_web_gate.cpp:1007 "Function entered" _TraceName^OBWebGate_Response

2016/02/12@12:07:03.64023 19463 19519 WEB TRACE 0x00000204 /ade/aime_ngamac_110154/ngamac/src/palantir/webgate2/src/apache2entry_web_gate.cpp:828 ecid^005At61J1Vv4ykW_Px^Ayd0004jt0000Ri rid^0 "Function exited" _TraceName^OBWebGate_AuthnAndAuthz _TraceAddress^0x7FCA71A2D1D2 _TraceDuration^0.583444 return^404

we see here return^404 but in header trace we have HTTP/1.1 401

- OAM managed server logs show:

[2016-02-16T10:28:25.943+02:00] [oam_server1] [TRACE] [OAMSSA-06013] [oracle.oam.engine.policy] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 005AxvelhQf4ykW_Px^Ayd0000zX00001J,1:29909] [APP: oam_server#11.1.2.0.0] [SRC_CLASS: oracle.security.am.common.policy.runtime.provider.common.RulesEvaluator] [SRC_METHOD: evaluate] PolicyRuntime :: paramName="result", paramDetail="ALLOW".
 
 [2016-02-16T10:28:25.945+02:00] [oam_server1] [TRACE] [OAMSSA-14001] [oracle.oam.engine.authz] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 005AxvelhQf4ykW_Px^Ayd0000zX00001J,1:29909] [APP: oam_server#11.1.2.0.0] [SRC_CLASS: oracle.security.am.engines.authz.AuthorizationEngine] [SRC_METHOD: isAuthorized] Authorization Engine :: paramName="AccessResult", paramValue="{ Result: true, Context: {authorization_failure_eval_conditions=[], resource_pattern=HTTP::SERVER_NAME::/ms_oauth/oauth2/ui/**::, authorization_policy_id=225aef67-9f60-47a1-9e60-4a60de2bdd0f, authorization_policy_name=WGS AUTHZ, application_domain=Custom WGS, authorization_success_eval_conditions=[TRUE]} }".
 ....
[2016-02-16T10:28:25.945+02:00] [oam_server1] [TRACE:16] [] [oracle.oam.engine.authz] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 005AxvelhQf4ykW_Px^Ayd0000zX00001J,1:29909] [APP: oam_server#11.1.2.0.0] [SRC_CLASS: oracle.security.am.engines.authz.AuthorizationEngine] [SRC_METHOD: isAuthorized] RETURN { Result: true, Context: {authorization_failure_eval_conditions=[], resource_pattern=HTTP::SERVER_NAME::/ms_oauth/oauth2/ui/**::, authorization_policy_id=225aef67-9f60-47a1-9e60-4a60de2bdd0f, authorization_policy_name=WGS AUTHZ, application_domain=Custom WGS, authorization_success_eval_conditions=[TRUE]}
....
[2016-02-16T10:28:25.974+02:00] [oam_server1] [TRACE] [] [oracle.oam.controler] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 005AxvelhQf4ykW_Px^Ayd0000zX00001J,1:29909] [APP: oam_server#11.1.2.0.0] [SRC_CLASS: oracle.security.am.engines.enginecontroller.AuthzEngineController] [SRC_METHOD: authorize] Is Authorized: true
[2016-02-16T10:28:25.974+02:00] [oam_server1] [TRACE:32] [] [oracle.oam.engine.policy] [tid: [ACTIVE].ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ] [ecid: 005AxvelhQf4ykW_Px^Ayd0000zX00001J,1:29909] [APP: oam_server#11.1.2.0.0] [SRC_CLASS: oracle.security.am.common.policy.util.URLUtils] [SRC_METHOD: decodeURL] Original url: %2Fms_oauth%2Foauth2%2Fui%2Foauthservice%2Fshowconsent

> we see Is Authorized: true

How to solve HTTP/1.1 401 Unauthorized when try to get URI /ms_oauth/oauth2/ui/oauthservice/showconsent ?

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms