Menu
▾
▴
Re: [Unity-idm-discuss] oauth clients operations requires reed capability
|
From: Krzysztof B. <kb...@un...> - 2017-08-02 09:00:13
|
W dniu 02.08.2017 o 10:38, Sander Apweiler pisze: > Hi Krzysztof, > > I'm struggling on a new instance with oath clients. An user signs in to > the Oauth SP and the infromation to the SPs are not released. The SP > only says "Login Error! Your IdP returned you with the error > <<"server_error">>. Please contact your IdP.". In the response is > Unexpected server error. The unity log file shows the error below. > > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - A new invocation > context was set > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Login session was set > for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Default locale was set > for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] DEBUG > unity.server.RoutingServlet - Routing request to DEFAULT destination > /oauth2-authz-consentdecider > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.AuthenticationFilter - Request to not protected > address: /oauth2-as/oauth2-authz-consentdecider > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - A new invocation > context was set > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Login session was set > for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.web.InvocationContextSetupFilter - Default locale was set > for the invocation context > 2017-08-01 15:40:38,827 [qtp1441014857-149] TRACE > unity.server.TransactionalAspect - Starting sql session for > execution(PreferencesManagement.getPreference(..)) > 2017-08-01 15:40:38,832 [qtp1441014857-149] TRACE > unity.server.TransactionalAspect - Releassing sql session for > execution(PreferencesManagement.getPreference(..)) > 2017-08-01 15:40:38,832 [qtp1441014857-149] DEBUG > unity.server.web.IdPPreferences - It was impossible to establish > preferences for 9 will use defaults > pl.edu.icm.unity.exceptions.AuthorizationException: Access is denied. > The operation getPreference requires 'read' capability > at > pl.edu.icm.unity.engine.authz.AuthorizationManagerImpl.checkAuthorizationInternal(AuthorizationManagerImpl.java:252) > at > pl.edu.icm.unity.engine.authz.AuthorizationManagerImpl.checkAuthorization(AuthorizationManagerImpl.java:179) > > The same error message is shown for the operation getGroups. If I sing > in to the SP with an unity admin account it works. But I don't know > which access rights are wrong. Do you have a hint for this problem? Yes. Basically every entity that is actively using unity (whether this is oauth client or a user that authenticates via oauth) requires at least the read capability which is provided by the "Regular user" role. Please see Authorization section in documentation for more details. HTH Krzyszotf |
