Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

FailedToLoadJWKException when retrieving OAuth2 access token in AM (All versions)

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if you encounter a FailedToLoadJWKException ("Unable to load the JWK location over HTTP" or "Unable to load keys from the JWK over HTTP") when attempting to retrieve an OAuth2 access token in AM. You may also encounter a redirect loop with this error if you have integrated AM with IDM and are using AM for authentication.


Symptoms

The following response may be seen when requesting an access token:

{"error_description": "server_error","error": "server_error"}

You will not see this response in AM 6.x if you are using an HMAC based signing algorithm, but you will still see the following error in the logs with message level debug enabled.

OAuth2Provider log

An error similar to one of the following is shown in the OAuth2Provider log when this happens:

  • Unable to load the JWK location over HTTP:
    • An error occurred while retrieving the JWT credentials: OAuth2Provider:10/12/2019 11:07:22:505 AM GMT: Thread[http-apr-8443-exec-23,5,main]: TransactionId[bfd1a64f-d7af-88f7-40e5-1ab3d59a9120-287] ERROR: An error occurred while retrieving the JWT credentials org.forgerock.json.jose.exceptions.FailedToLoadJWKException: Unable to load keys from the JWK over HTTP at org.forgerock.json.jose.jwk.store.JwksStore.<init>(JwksStore.java:101) at org.forgerock.json.jose.jwk.store.JwksStoreService.configureJwksStore(JwksStoreService.java:108) at org.forgerock.json.jose.jwk.store.JwksStoreService.configureJwksStore(JwksStoreService.java:84) at org.forgerock.openam.oauth2.OpenAMClientRegistration.getJwksStore(OpenAMClientRegistration.java:601)
    • Failed to update JwkStore for jwks URI: OAuth2Provider:10/12/2019 11:07:22:505 AM GMT: Thread[http-apr-8443-exec-23,5,main]: TransactionId[bfd1a64f-d7af-88f7-40e5-1ab3d59a9120-287] ERROR: Failed to update JwkStore for jwks URI https://am.example.com:8443/am/oauth2/employees/connect/jwk_uri org.forgerock.json.jose.exceptions.FailedToLoadJWKException: Unable to load the JWK location over HTTP at org.forgerock.json.jose.jwk.JWKSetParser.gatherHttpContents(JWKSetParser.java:84) at org.forgerock.json.jose.jwk.JWKSetParser.jwkSet(JWKSetParser.java:96) at org.forgerock.json.jose.jwk.store.JwksStore.reloadJwks(JwksStore.java:85)
  • Unable to load keys from the JWK over HTTP: OAuth2Provider:10/12/2019 11:07:22:505 AM GMT: Thread[http-apr-8443-exec-23,5,main]: TransactionId[bfd1a64f-d7af-88f7-40e5-1ab3d59a9120-287] ERROR: OpenAMClientRegistration: unable to load client public key(s) org.forgerock.json.jose.exceptions.FailedToLoadJWKException: Unable to load keys from the JWK over HTTP at org.forgerock.json.jose.jwk.store.JwksStore.<init>(JwksStore.java:101)

IDM

If AM is integrated with IDM and you are using AM for authentication, you may encounter the following redirect scenario in IDM:

  1. Attempt to authenticate to IDM, which redirects you to AM as expected.
  2. Authenticate successfully with AM, which redirects you back to IDM with an authorization code as expected.
  3. IDM then redirects you back to AM (without prompting for further credentials), retrieves another code and redirects you back to IDM again.

This redirect loop repeats continuously.

See How does the OIDC authorization flow work when IDM (All versions) is integrated with AM? for further information on the expected flow in IDM 6.x.

Recent Changes

Upgraded or installed AM.

Integrated AM with IDM.

Configured an HMAC for signing JWT tokens (HS256, HS384 or HS512 signing algorithms).

Causes

There are two separate causes that can result in these symptoms:

Solution

This issue can be resolved as follows depending on which Public key selector method you use:

  • If you use the JWKs_URI selector (default): you should ensure the JWK URI is correct, is reachable from AM and does not time out.
  • If you use the JWKs or X509 selector: you should remove the default JWK URI value.

See Client Registration for further information.

Modifying the JWKS URI

You can modify the JWK URI using either the AM admin UI, Amster or ssoadm:

  • AM admin UI: navigate to: Realms > [Realm Name] > Applications > OAuth 2.0 > Clients > [Client Name] > Signing and Encryption and either enter a valid URL in the Json Web Key URI field or remove the default value as necessary.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: OAuth2Clients
    • Property: jwksUri
  • ssoadm: enter the following command: $ ./ssoadm update-agent -e [realmname] -b [agentname] -u [adminID] -f [passwordfile] -a com.forgerock.openam.oauth2provider.jwksURI=[JWKS_URL]replacing [realmname], [agentname], [adminID], [passwordfile] and [JWKS_URL] with appropriate values.

See Also

OAuth 2.0 and OIDC in AM

OAuth 2.0

Related Training

N/A

Related Issue Tracker IDs

OPENAM-15968 (OAuth2 - no need to check the jwk_uri when ID token HS signing is selected)

OPENAM-9777 (Json Web Key URI in OAuth2 OpenID connect client config pre-populated incorrectly)


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.