Troubleshooting OAuth errors

OAuth is used to manage the list of client applications that are allowed to prompt users for access to their IBM® Connections data.

Overview

The OAuth support feature consists of four parts:
  • The WebSphere® Application Server OAuth Application that exposes authorization and token endpoints, and a feed of authorizations.
  • The WebSphere® Application Server OAuth TAI that intercepts requests to OAuth-protected API endpoints and sets the user principal in the request, handling error response codes.
  • The Connections OAuth Provider support module that exposes an Application Access page, Access Request screens, and a ProviderInitializer context listener that is used by all Connections applications.
  • The Connections OAuth Consumer Proxy that resides in the WidgetContainer application, which is responsible of the OpenSocial gadget container.

Troubleshooting guidelines

Add the strings from table 1 to log level details. Then, restart IBM® Connections and inspect trace logs. The OAuth components are verbose and write a sizable quantity of diagnostic messages to the trace log.
Table 1. Trace strings
Component Trace strings
WebSphere® Application Server OAuth TAI and endpoint servlets com.ibm.ws.security.oauth20.*=all
Connections OAuth Provider initializer, platform, DAO, and MBeans com.ibm.lconn.oauth.*=all
CRE OAuth Consumer Proxy

org.apache.shindig.gadgets.oauth2.*=all
com.ibm.mm.proxy.*=all (MuM proxy)
IBM® Connections CRE integration layer

com.ibm.lconn.core.services.cre.*=all
com.ibm.lconn.news.shindig.oauth.service.*=all
com.ibm.lconn.news.service.impl.oauth.*=all

Troubleshooting

Table 2. Common issues
Type Error URL Reason Solution
Response in the user interface
Error 404: javax.servlet.ServletException: 
Filter [OAuth20ClientAuthnFilter]: filter is unavailable.
http://server:port/oauth2/endpoint/connectionsProvider/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&scope=Connections&state=<state> The authorization screen URL is invalid. This happens if the {oauthSvcUrl} placeholder in the authorization URL parameter was not replaced successfully. Make sure the ProviderInitializer context listener completes initialization successfully. Check errors in the logs to find an appropriate solution for each case.