Oracle Access Manager OIDC/OAuth - Setting The Domain Via HTTP Header "x-oauth-identity-domain-name" In POST Requests To "/oauth2/rest/token" Fails With "System Error".
(Doc ID 2872764.1)
Last updated on SEPTEMBER 12, 2023
Applies to:
Oracle Access Manager - Version 12.2.1.3.0 and laterInformation in this document applies to any platform.
Oracle is not responsible for instructions/information from 3rd party sites that may be contained in this KM note
Symptoms
OpenID Connect (OIDC) OAuth flow passes HTTP request for the identity domain name and fails, "System Error" with clients like Postman.
- Oracle Access Manager 12c
- Federated OIDC/Oauth Protocols
- This use to work in OAM 11g Oauth
Requirement
- The identity domain name has to be set in every OIDC flow HTTP request.
- Setting a GET query parameter like /oauth2/rest/authz?domain=oamdomain is not a problem for the most OIDC clients because it is part of the url.
- Problems exist while setting the domain via HTTP header x-oauth-identity-domain-name in POST requests to /oauth2/rest/token.
- Some clients like Postman, IOS/Android etc. does not have OOTB functionality for this header.
Whats the recommended approach to support all OIDC clients?
Steps to Reproduce
Using Postman
- Tab authorization -> type -> oauth 2.0
- Token Name = JWTBearer
- Grant Type = Authorization Code
- Callback URL = <VALUE>
- Auth URL= hhttp(s)://<HTTP_SERVER_FQDN:PORT>/oauth2/rest/authz?domain=<DOMAIN_NAME_VALUE>
- Access Token URL = http(s)://<WLS_MANAGED_SERVER_OAM_FQDN:PORT>/oauth2/rest/token
- Client ID = <CLIENT_ID_VALUE>
- Client Secret = <CLIENT_SECRET>
- Scope = Customer.Info
- State = <VALUE>
- Client Authentication = Send as Basic Auth Header
- Then click "Get New Access Token" - > System error
Works if the following is done via command line
1. Create the domain:
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |