Solutions

Creating OAuth2 Provider in AM 5.5.x and 6 fails with a Could not initialise script configurations for realm error when using ssoadm

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if you encounter a "Could not initialise script configurations for realm" error when trying to create an OAuth2 Provider in AM using ssoadm.


Symptoms

A blank response is shown when using a command such as the following to create the OAuth2 Provider:

$ ./ssoadm add-svc-realm -s OAuth2Provider -e / -u amadmin -f pwd.txt -D oauth2providerconfig.txt

Where the oauth2providerconfig.txt file contains the forgerock-oauth2-provider-oidc-claims-extension-script attribute. 

The AM console does not show the creation of the OAuth2Provider.

Debug log

You will see the following error in the ssoadm Configuration debug log when this happens:

amCLI:02/08/2018 09:27:45:487 PM GMT: Thread[main,5,main]: TransactionId[unknown]
ERROR: An unexpected error occurred in thread 'Thread[main,5,main]'
java.lang.IllegalStateException: Could not initialise script configurations for realm /
   at org.forgerock.openam.scripting.service.ScriptConfigurationService.reload(ScriptConfigurationService.java:130)
   at org.forgerock.openam.scripting.service.ScriptConfigurationService.init(ScriptConfigurationService.java:115)
   at org.forgerock.openam.scripting.service.ScriptConfigurationService.<init>(ScriptConfigurationService.java:111)
   at org.forgerock.openam.scripting.service.ScriptChoiceValues.getScriptingService(ScriptChoiceValues.java:116)
   at org.forgerock.openam.scripting.service.ScriptChoiceValues.getChoiceValues(ScriptChoiceValues.java:88)
   at com.sun.identity.sm.AttributeSchemaImpl$AttributeSchemaState.getChoiceValuesMap(AttributeSchemaImpl.
...
Caused by: org.forgerock.openam.scripting.ScriptException: Script type not recognised: AUTHENTICATION_TREE_DECISION_NODE

Recent Changes

Upgraded to, or installed AM 5.5 or later.

Causes

The introduction of authentication tree nodes in AM 5.5 has caused an issue with modifying the script configuration in the OAuth2 provider service. The presence of the forgerock-oauth2-provider-oidc-claims-extension-script attribute prevents the OAuth2 provider being created or the custom script being updated for existing providers.

Solution

This issue can be resolved using one of the following approaches:

  • Use Amster to create the OAuth2 provider
  • Use the REST API to create the OAuth2 provider
  • Exclude the problematic attribute and create the OAuth2 provider using ssoadm
Note

Since ssoadm is deprecated as of AM 5, this known issue will not be resolved.

Use Amster to create the OAuth2 provider

Create the OAuth provider as described in: Entity Reference › OAuth2Provider › create.

Use the REST API to create the OAuth2 provider

You can create the OAuth2 provider using the /realm-config/services/oauth-oidc REST endpoint​. You can use the API Explorer to try out this endpoint as detailed in Development Guide › Introducing the API Explorer, which will provide the OAuth2 provider data you should include in the REST call or you can query the OAuth2 provider service first as demonstrated in the following example:

  1. Authenticate to obtain a SSOToken; you must use the actual AM server URL (not lb). For example:
    $ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.0, protocol=1.0"  http://host1.example.com:8080/openam/json/realms/root/authenticate
    
    Example response:
    { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console", "realm": "/" }
    
  2. Retrieve the OAuth2Provider service details using the following curl command against the actual AM server URL (not lb), where the iPlanetDirectoryPro header (default AM session cookie name) is set to the token returned when you authenticated:
    $ curl -X GET -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" http://host1.example.com:8080/openam/json/realms/root/realm-config/services/oauth-oidc 
    
    Example response (this has been truncated due to the size of response):
    {
        "_id": "",
        "_rev": "-2046488110",
        "coreOAuth2Config": {
            "refreshTokenLifetime": 604800,
    ...
    ...
      "_type": {
        "_id": "oauth-oidc",
        "name": "OAuth2 Provider",
        "collection": false
      }
    }
    
    
  3. Create the OAuth2 provider using the following curl command against the actual AM server URL (not lb), where the iPlanetDirectoryPro header (default AM session cookie name) is set to the token returned when you authenticated; the data option should include the response from step 2 with the configuration updated for the new provider, and the first _id and _rev fields removed, for example:
    $ curl -X PUT -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=1.0, protocol=1.0" -d '{
        "coreOAuth2Config": {
            "refreshTokenLifetime": 604800,
    ...
    ...
      "_type": {
        "_id": "oauth-oidc",
        "name": "OAuth2 Provider",
        "collection": false
      }
    }' http://host1.example.com:8080/openam/json/realms/root/realm-config/services/oauth-oidc
    
    Example response (this has been truncated due to the size of response):
    {
        "_id": "",
        "_rev": "-870213730",
        "coreOAuth2Config": {
            "refreshTokenLifetime": 604800,
    .........
        "_type": {
            "_id": "oauth-oidc",
            "name": "OAuth2 Provider",
            "collection": false
        }
    }
    

Exclude the problematic attribute and create the OAuth2 provider using ssoadm

  1. Remove the following attribute from your OAuth2 provider configuration file:
    forgerock-oauth2-provider-oidc-claims-extension-script
  2. Re-run the ssoadm command to create the OAuth2 provider, for example:
    $ ./ssoadm add-svc-realm -s OAuth2Provider -e / -u amadmin -f pwd.txt -D oauth2providerconfig.txt
  3. Add the custom claims script in the AM console by navigating to: Realms > [Realm Name] > Services > OAuth2 Provider > OpenID Connect > OIDC Claims Script and adding your custom claims script.

See Also

OAuth 2.0 in AM/OpenAM

Using Amster in AM

Using the REST API in AM/OpenAM

Reference › OAuth2 Provider

Related Training

N/A

Related Issue Tracker IDs

OPENAM-12305 (ssoadm does not create OAuth2Provider service)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...