Solutions

Creating OAuth2 Provider in AM 5.5.x, 6.x and 7.x fails with a Could not initialise script configurations for realm error when using ssoadm

Last updated Sep 14, 2020

The purpose of this article is to provide assistance if you encounter a "Could not initialise script configurations for realm" error when trying to create an OAuth2 Provider in AM using ssoadm.

Symptoms

A blank response is shown when using a command such as the following to create the OAuth2 Provider:

  • AM 7 and later: 
    $ ./ssoadm add-svc-realm -s OAuth2Provider -e / -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -D oauth2providerconfig.txt
  • Pre-AM 7: 
    $ ./ssoadm add-svc-realm -s OAuth2Provider -e / -u amadmin -f pwd.txt -D oauth2providerconfig.txt

Where the oauth2providerconfig.txt file contains the forgerock-oauth2-provider-oidc-claims-extension-script attribute.

The AM console does not show the creation of the OAuth2Provider.

Debug log

You will see the following error in the ssoadm Configuration debug log when this happens:

amCLI:02/08/2018 09:27:45:487 PM GMT: Thread[main,5,main]: TransactionId[unknown]
ERROR: An unexpected error occurred in thread 'Thread[main,5,main]'
java.lang.IllegalStateException: Could not initialise script configurations for realm /
   at org.forgerock.openam.scripting.service.ScriptConfigurationService.reload(ScriptConfigurationService.java:130)
   at org.forgerock.openam.scripting.service.ScriptConfigurationService.init(ScriptConfigurationService.java:115)
   at org.forgerock.openam.scripting.service.ScriptConfigurationService.<init>(ScriptConfigurationService.java:111)
   at org.forgerock.openam.scripting.service.ScriptChoiceValues.getScriptingService(ScriptChoiceValues.java:116)
   at org.forgerock.openam.scripting.service.ScriptChoiceValues.getChoiceValues(ScriptChoiceValues.java:88)
   at com.sun.identity.sm.AttributeSchemaImpl$AttributeSchemaState.getChoiceValuesMap(AttributeSchemaImpl.
...
Caused by: org.forgerock.openam.scripting.ScriptException: Script type not recognised: AUTHENTICATION_TREE_DECISION_NODE

Recent Changes

Upgraded to, or installed AM 5.5 or later.

Causes

The introduction of authentication tree nodes in AM 5.5 has caused an issue with modifying the script configuration in the OAuth2 provider service. The presence of the forgerock-oauth2-provider-oidc-claims-extension-script attribute prevents the OAuth2 provider being created or the custom script being updated for existing providers.

Solution

This issue can be resolved using one of the following approaches:

  • Use Amster to create the OAuth2 provider
  • Use the REST API to create the OAuth2 provider
  • Exclude the problematic attribute and create the OAuth2 provider using ssoadm

Use Amster to create the OAuth2 provider

Create the OAuth provider as described in: Entity Reference › OAuth2Provider.

Use the REST API to create the OAuth2 provider

Note

Please observe the following when constructing REST calls:

  • Make the REST call to the actual AM/OpenAM server URL (not lb).
  • Change the name of the iPlanetDirectoryPro header to the name of your actual session cookie.
  • Set this session cookie header to the token returned when you authenticated.
  • Ensure the Accept-API-Version header contains a valid resource version (AM 5 and later).

See How do I avoid common issues with REST calls in AM/OpenAM (All versions)? for further information.

You can create the OAuth2 provider using the /realm-config/services/oauth-oidc REST endpoint​. You can use the API Explorer to try out this endpoint as detailed in Getting Started with REST › REST API Explorer, which will provide the OAuth2 provider data you should include in the REST call or you can query the OAuth2 provider service first as demonstrated in the following example:

  1. Authenticate as an admin user. For example: 
    $ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1"  http://host1.example.com:8080/openam/json/realms/root/authenticate?authIndexType=service&authIndexValue=adminconsoleservice
    Example response: 
    { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console", "realm": "/" }
  2. Retrieve the OAuth2Provider service details using the following curl command: 
    $ curl -X GET -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" http://host1.example.com:8080/openam/json/realms/root/realm-config/services/oauth-oidc
    Example response (this has been truncated due to the size of response): 
    {
    "_id": "",
    "_rev": "-2046488110",
    "coreOAuth2Config": {
        "refreshTokenLifetime": 604800,
...
...
  "_type": {
    "_id": "oauth-oidc",
    "name": "OAuth2 Provider",
    "collection": false
  }
}
  3. Create the OAuth2 provider using the following curl command; the data option should include the response from step 2 with the configuration updated for the new provider, and the first _id and _rev fields removed, for example: 
    $ curl -X PUT -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=1.0" -d '{
    "coreOAuth2Config": {
        "refreshTokenLifetime": 604800,
...
...
  "_type": {
    "_id": "oauth-oidc",
    "name": "OAuth2 Provider",
    "collection": false
  }
}' http://host1.example.com:8080/openam/json/realms/root/realm-config/services/oauth-oidc
    Example response (this has been truncated due to the size of response): 
    {
    "_id": "",
    "_rev": "-870213730",
    "coreOAuth2Config": {
        "refreshTokenLifetime": 604800,
.........
    "_type": {
        "_id": "oauth-oidc",
        "name": "OAuth2 Provider",
        "collection": false
    }
}

Exclude the problematic attribute and create the OAuth2 provider using ssoadm

  1. Remove the following attribute from your OAuth2 provider configuration file: 
    forgerock-oauth2-provider-oidc-claims-extension-script
  2. Re-run the ssoadm command to create the OAuth2 provider, for example:
    • AM 7 and later: 
      $ ./ssoadm add-svc-realm -s OAuth2Provider -e / -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -D oauth2providerconfig.txt
    • Pre-AM 7: 
      $ ./ssoadm add-svc-realm -s OAuth2Provider -e / -u amadmin -f pwd.txt -D oauth2providerconfig.txt
  3. Add the custom claims script in the AM console by navigating to: Realms > [Realm Name] > Services > OAuth2 Provider > OpenID Connect > OIDC Claims Script and adding your custom claims script.

See Also

OAuth 2.0 in AM/OpenAM

Using Amster in AM

Using the REST API in AM/OpenAM

Reference › OAuth2 Provider

Related Training

N/A

Related Issue Tracker IDs

OPENAM-12305 (ssoadm does not create OAuth2Provider service)

Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...