This post discusses OAM Mobile and social capabilities to integrate with popular social identities like Facebook and Google. I tried it on OAM 11g R2 PS2 and found some roadblocks. There are couple of good blogs on OAM setup for mobile and social but still I faced issues due to some missing steps and existing defects. In this post, I am compiling all the issues that I faced and workarounds for those.
1. OAuth Implementation Class Mismatch
Facebook now support OAuth 2.0 instead of 1.0 but still OAM points to the old implementation classes. Google also moved from OpenId to OAuth 2.0. You will see below error in the OAM diagnostics logs –
Solution: To fix this issue, delete Google and Facebook from the Internet Identity providers section and recreate it with the correct Implementation Class and Authorization/Access token URL pointing to OAuth2. You can see the detailed steps in Oracle Support Note 1960829.1.
Snapshots of Identity Providers Config after changes –
Note: Don’t create the new identity provider without deleting the existing one. There is a existing bug related to this. Refer Oracle Support Note – 1998417.1.
2. Error in redirection to protected resource
After entering end-user registration details and clicking ‘Register’ the user is redirected back to the social login page instead of being redirected to the requested resource. The issue in this case is the user is not able to register in the local IDS repository due to some reason. The most common reason is that the ‘Registration Service Details with Application User Attribute Mapping’ within the application profile is misconfigured and the LDAP server is not receiving all of the mandatory attributes needed to create an entry.
For Ex: OAM Server Logs <Error> <oracle.igf.ovd> <IGF00029> <Missing mandatory name attribute>
One way to troubleshoot this issue is to check if proper permissions are given to return required attributes. For Facebook App, go to App Review to check the approved items –
Also, FB provides a tool to generate Access Token where you can also check the returned attributes. Go to Tools and Support -> Graph API Explorer
One more thing to mention, OOB FB internet Identity Provider configuration has listed some attributes which are now not returned by FB like country, language etc…
Remove those attributes from Social Identity -> Facebook -> Users Attributes Returned section, otherwise you might get an error:
If using OAM 220.127.116.11.x then the Authenitcation Module – TAPModule should also have been updated to replace the TAPAssertionPlugin with TAPUserAuthenticationPlugin
3. Facebook OAuth Error – App Domain not registered
This error appears if you have not registered the App Domain in your FB App in a correct format. Go to FB App -> Settings and set the App Domain to <host name without http/https>. Also click on Add Platform and select website and enter URL http://OAM-Host:<port>.
Also, make sure to add the Facebook Login product and provide valid OAuth redirect URIs:
Finally, click on App Review, check the permissions and make the app public.
4. Attributes and properties that are often missed
Make sure to add below profile properties in the Application Profile –
1. app.passwd.field – Encrypts the password on the registration page. Add password as the value. To mask the password with asterisks (*) on the registration page, add the app.passwd.field property and add password as the value.
2.oic.app.idp.oauth.token – Instructs Mobile and Social to include the OAuth Access Token as part of the final redirect to the application. Add true as the value. Only applies if the User selected an OAuth provider (Facebook, Twitter, LinkedIn).
In the Service Provider Configuration page for UserProfile, add an attribute in the attributes section called “proxyAuth” and set it to “false”. This step is required for OUD. See Oracle Docs
Update OAM default store to IDSPROFILE-xxx identity store. This is used to check if logged in users already have an account in the local IDS repository and based on this show New User Registration page.
5. Local Authentication Failed Error
User has an option to login through local account instead of social login flow. If you face any issues with this then some of the first things to check are:
Check if user account created in IDS repository. You can check it by connecting to LDAP or you can use the REST api endpoint configured in Mobile Services -> Service Profile -> Service Endpoint. For Ex: http://<host>:port/oic_rest/rest/ userprofile?pageSize=<N> where pageSize determine the no of results
Redirected to below error page, even if you are entering the correct password as entered on the user registration page-
Error from the OAM logs –
Wrong Password[[security.idaas.rest.provider.common.exception.RESTOAMAuthenticationException: Wrong Password at oracle.security.idaas.rest.provider.token.OAMSDKTokenServiceProvider.checkUserSession(OAMSDKTokenServiceProvider.java:1784) at oracle.security.idaas.rest.provider.token.OAMSDKTokenServiceProvider.authenticate(OAMSDKTokenServiceProvider.java:1670)
This error means OAMSDKTokenServiceProvider is trying to authenticate against OAM system ID store instead of IDS repository. You need to change the Auth Scheme for OIC Authentication policy defined in OOB IAM Suite Agent. Refer Oracle Support Note 1946340.1 for details.
Curious How It’s Related To OIC Authentication Policy?
Mobile and Social provides pre-configured Authentication Service Providers, for each token type (Access Manager and JWT). This Service Provider can issue a Client Token which is used for authentication. A Service Profile defines a Service Endpoint URL for a Service Provider on the Mobile and Social server. For more details Oracle Doc.
Basically, under Social Identities -> Application Profile -> Authentication Service Endpoint is defined which is by default points to /oamauthentication.
Under Mobile Services -> Service Providers, you will see OAMAuthentication Service Provider and the corresponding Service Profile that points to rest service end point – http://<host>:port/oic_rest/rest/oamauthentication. Service Provider implementation class is OAMSDKTokenServiceProvider which you see in the logs.
One more thing to notice is, OAMAuthenitcation Service Provider is attached to accessgate-oic. So, in case of local authentication /OICAuthentication resource is accessed which is protected through OIC Authentication Policy. Sometimes, this issue comes if there is a mismatch in the Webgate Encrypted Password defined in SP and Access gate password in Webgate definition.
- 1. OAMMS AND FACEBOOK INTEGRATION WITH OAM UNSOLICITED LOGIN (Bug 20229995)
- 2. Social Login doesn’t work if both OAM and OIM are in the same domain which is not recommended – (Oracle Support Note-1601516.1)
- 3. After supplying local login credentials the browser shows an HTTP404 error.
and redirected to http://oamserver_host:14100/oic_rp/null. The ‘oic_rp/null’ is a symptom of bugs 21930668 and 19821179. This bug is fixed in the 18.104.22.168.x release of OAM. (Not checked the fix)
- 4. OAM 11gR2 Social Login With Google IdP Always Prompts for Offline Access Consent (Doc ID 2066795.1)
In Part II of this post, I will continue the discussion on Oracle Mobile and Social and will also discuss OAMMS-SDK.