Invalid login token. Incorrect token audience.

By: Xuejiao Zhang user 08 Sep 2019 at 11:53 a.m. CDT

5 Responses
Xuejiao Zhang gravatar
I am using Gluu server as the OpenId server for AWS Cognito Identity pool federation. The client_id format of Gluu is something like this "@!896F.9543.A0D3.2B07!0001!014A.8063!0008!137F.4BEC". But when I create AWS IAM role, it has the requirements for OpenId "audience": "Audience can contain only alphanumeric characters and period (.), underscore (_), hyphen (-), and slash (/). Audience cannot be longer than 255 character" My understanding is that I need to input "clent_id" in the "audience", but it can not be done due to the reason above. So that I got the error: "botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the GetId operation: Invalid login token. Incorrect token audience." I am wondering whethere it's possible to change client_id on Gluu server(Open_id). If not, do you have any clue to fix the issue? Thanks in advance.
CentOS 7.6
closed

Answers

By Michael Schwartz Account Admin 08 Sep 2019 at 3:16 p.m. CDT

Copy
Michael Schwartz gravatar
Maybe use Gluu Server 4.0 which uses guid's as the primary key instead of inums. There is also a script for changing identifiers for clients.

By Xuejiao Zhang user 08 Sep 2019 at 11:10 p.m. CDT

Copy
Xuejiao Zhang gravatar
@Michael.Schwartz Thanks. I installed Gluu Server 4.0, and I created OpenId Connect client. When I tried to update the "Grant Type", it always failed with the following error: ``` Oops Something wrong happened. Return to the application using the button below. ``` I have retried several times and sometimes it failed to update other items as well. Could you help me out of the issue?

By Aliaksandr Samuseu staff 17 Sep 2019 at 7:43 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Xuejiao. I haven't been able to reproduce it so far. Could you please install the most latest RC package (4.0-82.rc1) and try again? If you'll still encounter this issue, could you please provide a detailed step-by-step instruction on how to reproduce it? In addition, we will need a dump of your client's LDAP entry. 1. Open the client's properties page in web UI and copy its "Client ID" value 2. Move into Gluu's container 3. Put your LDAP password in `/tmp/.dpw` (it's the same as default admin's password was right after installation) 4. Dump the client's properties: `# /opt/opendj/bin/ldapsearch -h 127.0.0.1 -p 1636 -s sub -T -Z -X -D 'cn=directory manager' -j /tmp/.dpw -b 'o=gluu' -z 3 '&(objectclass=oxauthclient)(inum=YOUR_Client ID)'` 5. Share it here. You may decide to remove client's secret from output

By Aliaksandr Samuseu staff 26 Sep 2019 at 5 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Xuejiao. Any update on this one? Do you still see the issue in the most latest 4.0 package?

By Xuejiao Zhang user 26 Sep 2019 at 8:09 p.m. CDT

Copy
Xuejiao Zhang gravatar
@Aliaksandr.Samuseu Hi, I didn't get time to work on further test recently. Let me close the ticket for now, I will let you know if the issue reproduces later. Thank you very much.

Post an answer