Solutions

FailedToLoadJWKException when retrieving OAuth2 access token in AM (All versions)

Last updated Mar 2, 2020

The purpose of this article is to provide assistance if you encounter a FailedToLoadJWKException ("Unable to load the JWK location over HTTP" or "Unable to load keys from the JWK over HTTP") when attempting to retrieve an OAuth2 access token in AM. You may also encounter a redirect loop with this error if you have integrated AM with IDM and are using AM for authentication.


Symptoms

The following response may be seen when requesting an access token:

{"error_description": "server_error","error": "server_error"}
Note

You will not see this response in AM 6.x if you are using an HMAC based signing algorithm, but you will still see the following error in the logs with message level debug enabled.

An error similar to one of the following is shown in the OAuth2Provider log when this happens:

  • Unable to load the JWK location over HTTP:
    • An error occurred while retrieving the JWT credentials:
      OAuth2Provider:10/12/2019 11:07:22:505 AM GMT: Thread[http-apr-8443-exec-23,5,main]: TransactionId[bfd1a64f-d7af-88f7-40e5-1ab3d59a9120-287]
      ERROR: An error occurred while retrieving the JWT credentials
      org.forgerock.json.jose.exceptions.FailedToLoadJWKException: Unable to load keys from the JWK over HTTP
         at org.forgerock.json.jose.jwk.store.JwksStore.<init>(JwksStore.java:101)
         at org.forgerock.json.jose.jwk.store.JwksStoreService.configureJwksStore(JwksStoreService.java:108)
         at org.forgerock.json.jose.jwk.store.JwksStoreService.configureJwksStore(JwksStoreService.java:84)
         at org.forgerock.openam.oauth2.OpenAMClientRegistration.getJwksStore(OpenAMClientRegistration.java:601)
    • Failed to update JwkStore for jwks URI:
      OAuth2Provider:10/12/2019 11:07:22:505 AM GMT: Thread[http-apr-8443-exec-23,5,main]: TransactionId[bfd1a64f-d7af-88f7-40e5-1ab3d59a9120-287]
      ERROR: Failed to update JwkStore for jwks URI http://host1.example.com:8080/am/oauth2/employees/connect/jwk_uri
      org.forgerock.json.jose.exceptions.FailedToLoadJWKException: Unable to load the JWK location over HTTP
         at org.forgerock.json.jose.jwk.JWKSetParser.gatherHttpContents(JWKSetParser.java:84)
         at org.forgerock.json.jose.jwk.JWKSetParser.jwkSet(JWKSetParser.java:96)
         at org.forgerock.json.jose.jwk.store.JwksStore.reloadJwks(JwksStore.java:85)
      
  • Unable to load keys from the JWK over HTTP:
    OAuth2Provider:10/12/2019 11:07:22:505 AM GMT: Thread[http-apr-8443-exec-23,5,main]: TransactionId[bfd1a64f-d7af-88f7-40e5-1ab3d59a9120-287]
    ERROR: OpenAMClientRegistration: unable to load client public key(s)
    org.forgerock.json.jose.exceptions.FailedToLoadJWKException: Unable to load keys from the JWK over HTTP
       at org.forgerock.json.jose.jwk.store.JwksStore.<init>(JwksStore.java:101)

IDM

If AM is integrated with IDM and you are using AM for authentication, you may encounter the following redirect scenario in IDM:

  1. Attempt to authenticate to IDM, which redirects you to AM as expected.
  2. Authenticate successfully with AM, which redirects you back to IDM with an authorization code as expected.
  3. IDM then redirects you back to AM (without prompting for further credentials), retrieves another code and redirects you back to IDM again.

    This redirect loop repeats continuously.

See How does the OIDC authorization flow work when IDM 5.5.x or 6.x is integrated with AM? for further information on the expected flow.

Recent Changes

Upgraded to, or installed AM 5.5 or later.

Integrated AM with IDM.

Configured an HMAC for signing JWT tokens (HS256, HS384 or HS512 signing algorithms).

Causes

There are two separate causes that can result in these symptoms:

  • The JWK URI is incorrectly pre-populated, which prevents the access token being retrieved. This setting cannot be pre-populated in a meaningful way and should be set specifically for your configuration if needed. This is a known issue: OPENAM-9777 (Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly).
  • Changes were made in AM 5.5 to ensure the JWK URI is resolvable if you use an HMAC for signing JWT tokens:

    • If you are using an RSA based signing algorithm and the URI is not resolvable, access token requests fail with the errors shown in the Symptoms section.
    • If you are using an HMAC based signing algorithm and the URI is not resolvable, the behavior depends on your version:

Solution

This issue can be resolved as follows depending on which Public key selector method you use:

  • If you use the JWKs_URI selector (default): you should ensure the JWK URI is correct, is reachable from AM and does not time out.
  • If you use the JWKs or X509 selector: you should remove the default JWK URI value.

See OAuth 2.0 Guide › Signing and Encryption for further information.

Modifying the JWKS URI

You can modify the JWK URI using either the console, Amster or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Applications > OAuth 2.0 > Clients > [Client Name] > Signing and Encryption and either enter a valid URL in the Json Web Key URI field or remove the default value as necessary.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: OAuth2Clients
    • Property: jwksUri
  • ssoadm: enter the following command:
    $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.forgerock.openam.oauth2provider.jwksURI=[JWKS_URL]
    replacing [realmname], [agentname], [adminID], [passwordfile] and [JWKS_URL] with appropriate values.

See Also

OAuth 2.0 in AM/OpenAM

OAuth 2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

OPENAM-15968 (OAuth2 - no need to check the jwk_uri when ID token HS signing is selected)

OPENAM-11997 (Document changed behavior when JWK URI is not resolvable (and HSxxx is used))

OPENAM-9777 (Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly)



Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...