Creating OAuth2 Provider in AM 5.5.x and 6.x fails with a Could not initialise script configurations for realm error when using ssoadm
The purpose of this article is to provide assistance if you encounter a "Could not initialise script configurations for realm" error when trying to create an OAuth2 Provider in AM using ssoadm.
Symptoms
A blank response is shown when using a command such as the following to create the OAuth2 Provider:
$ ./ssoadm add-svc-realm -s OAuth2Provider -e / -u amadmin -f pwd.txt -D oauth2providerconfig.txt
Where the oauth2providerconfig.txt file contains the forgerock-oauth2-provider-oidc-claims-extension-script attribute.
The AM console does not show the creation of the OAuth2Provider.
Debug log
You will see the following error in the ssoadm Configuration debug log when this happens:
amCLI:02/08/2018 09:27:45:487 PM GMT: Thread[main,5,main]: TransactionId[unknown]
ERROR: An unexpected error occurred in thread 'Thread[main,5,main]'
java.lang.IllegalStateException: Could not initialise script configurations for realm /
at org.forgerock.openam.scripting.service.ScriptConfigurationService.reload(ScriptConfigurationService.java:130)
at org.forgerock.openam.scripting.service.ScriptConfigurationService.init(ScriptConfigurationService.java:115)
at org.forgerock.openam.scripting.service.ScriptConfigurationService.<init>(ScriptConfigurationService.java:111)
at org.forgerock.openam.scripting.service.ScriptChoiceValues.getScriptingService(ScriptChoiceValues.java:116)
at org.forgerock.openam.scripting.service.ScriptChoiceValues.getChoiceValues(ScriptChoiceValues.java:88)
at com.sun.identity.sm.AttributeSchemaImpl$AttributeSchemaState.getChoiceValuesMap(AttributeSchemaImpl.
...
Caused by: org.forgerock.openam.scripting.ScriptException: Script type not recognised: AUTHENTICATION_TREE_DECISION_NODE
Recent Changes
Upgraded to, or installed AM 5.5 or later.
Causes
The introduction of authentication tree nodes in AM 5.5 has caused an issue with modifying the script configuration in the OAuth2 provider service. The presence of the forgerock-oauth2-provider-oidc-claims-extension-script attribute prevents the OAuth2 provider being created or the custom script being updated for existing providers.
Solution
This issue can be resolved using one of the following approaches:
- Use Amster to create the OAuth2 provider
- Use the REST API to create the OAuth2 provider
- Exclude the problematic attribute and create the OAuth2 provider using ssoadm
Note
Since ssoadm is deprecated as of AM 5, this known issue will not be resolved.
Use Amster to create the OAuth2 provider
Create the OAuth provider as described in: Entity Reference › OAuth2Provider › create.
Use the REST API to create the OAuth2 provider
You can create the OAuth2 provider using the /realm-config/services/oauth-oidc REST endpoint. You can use the API Explorer to try out this endpoint as detailed in Development Guide › Introducing the API Explorer, which will provide the OAuth2 provider data you should include in the REST call or you can query the OAuth2 provider service first as demonstrated in the following example:
- Authenticate to obtain a SSOToken; you must use the actual AM server URL (not lb). For example:
$ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0, protocol=1.0" http://host1.example.com:8080/openam/json/realms/root/authenticate
Example response:{ "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console", "realm": "/" } - Retrieve the OAuth2Provider service details using the following curl command against the actual AM server URL (not lb), where the iPlanetDirectoryPro header (default AM session cookie name) is set to the token returned when you authenticated:
$ curl -X GET -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" http://host1.example.com:8080/openam/json/realms/root/realm-config/services/oauth-oidc
Example response (this has been truncated due to the size of response):{ "_id": "", "_rev": "-2046488110", "coreOAuth2Config": { "refreshTokenLifetime": 604800, ... ... "_type": { "_id": "oauth-oidc", "name": "OAuth2 Provider", "collection": false } } - Create the OAuth2 provider using the following curl command against the actual AM server URL (not lb), where the iPlanetDirectoryPro header (default AM session cookie name) is set to the token returned when you authenticated; the data option should include the response from step 2 with the configuration updated for the new provider, and the first _id and _rev fields removed, for example:
$ curl -X PUT -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=1.0, protocol=1.0" -d '{ "coreOAuth2Config": { "refreshTokenLifetime": 604800, ... ... "_type": { "_id": "oauth-oidc", "name": "OAuth2 Provider", "collection": false } }' http://host1.example.com:8080/openam/json/realms/root/realm-config/services/oauth-oidcExample response (this has been truncated due to the size of response):{ "_id": "", "_rev": "-870213730", "coreOAuth2Config": { "refreshTokenLifetime": 604800, ......... "_type": { "_id": "oauth-oidc", "name": "OAuth2 Provider", "collection": false } }
Exclude the problematic attribute and create the OAuth2 provider using ssoadm
- Remove the following attribute from your OAuth2 provider configuration file:
forgerock-oauth2-provider-oidc-claims-extension-script
- Re-run the ssoadm command to create the OAuth2 provider, for example:
$ ./ssoadm add-svc-realm -s OAuth2Provider -e / -u amadmin -f pwd.txt -D oauth2providerconfig.txt
- Add the custom claims script in the AM console by navigating to: Realms > [Realm Name] > Services > OAuth2 Provider > OpenID Connect > OIDC Claims Script and adding your custom claims script.
See Also
Related Training
N/A
Related Issue Tracker IDs
OPENAM-12305 (ssoadm does not create OAuth2Provider service)