Troubleshooting OAuth errors
OAuth is used to manage the list of client applications that are allowed to prompt users for access to their HCL Connections™ data.
Overview
The OAuth support feature consists of four parts:
- The WebSphere® Application Server OAuth Application that exposes authorization and token endpoints, and a feed of authorizations.
- The WebSphere Application Server OAuth TAI that intercepts requests to OAuth-protected API endpoints and sets the user principal in the request, handling error response codes.
- The Connections OAuth Provider support module that exposes an Application Access page, Access Request screens, and a ProviderInitializer context listener that is used by all Connections applications.
- The Connections OAuth Consumer Proxy that resides in the WidgetContainer application, which is responsible of the OpenSocial gadget container.
Troubleshooting guidelines
Add the strings from table 1 to log level details. Then, restart Connections and inspect trace logs. The OAuth components are verbose and write a sizable quantity of diagnostic messages to the trace log.
| Component | Trace strings |
|---|---|
| WebSphere Application Server OAuth TAI and endpoint servlets | com.ibm.ws.security.oauth20.*=all |
| Connections OAuth Provider initializer, platform, DAO, and MBeans | com.ibm.lconn.oauth.*=all |
| CRE OAuth Consumer Proxy | ``` |
org.apache.shindig.gadgets.oauth2.=all com.ibm.mm.proxy.=all (MuM proxy)
|
|Connections CRE integration layer|```
com.ibm.lconn.core.services.cre.*=all
com.ibm.lconn.news.shindig.oauth.service.*=all
com.ibm.lconn.news.service.impl.oauth.*=all
|
Troubleshooting
| Type | Error | URL | Reason | Solution |
|---|---|---|---|---|
| Response in the user interface | ``` | |||
| Error 404: javax.servlet.ServletException: | ||||
| Filter [OAuth20ClientAuthnFilter]: filter is unavailable. | ||||
| ``` |
|http://server:port/oauth2/endpoint/connectionsProvider/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&scope=Connections&state=<state>|The authorization screen URL is invalid. This happens if the {oauthSvcUrl} placeholder in the authorization URL parameter was not replaced successfully.|Make sure the ProviderInitializer context listener completes initialization successfully. Check errors in the logs to find an appropriate solution for each case.|
Parent topic:Troubleshooting tips