Environment
- Liferay DXP 7.0-7.3
- Oracle Identity Cloud Service
- OpenID Connect authentication enabled
Symptom
When OpenID Connect authentication is enabled in Liferay DXP and Oracle Identity Cloud Service (IDCS) is the configured provider, the following error may occur and users are not able to sign in to Liferay DXP:
Caused by: com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Server returned HTTP response code: 401 for URL: https://idcs-6e0f2608732d4331a407d4a5583257ab.identity.oraclecloud.com:443/admin/v1/SigningCert/jwk at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:167) at com.nimbusds.jose.jwk.source.RemoteJWKSet.get(RemoteJWKSet.java:258) at com.nimbusds.jose.proc.JWSVerificationKeySelector.selectJWSKeys(JWSVerificationKeySelector.java:113) at com.nimbusds.jwt.proc.DefaultJWTProcessor.selectKeys(DefaultJWTProcessor.java:288) at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:347) at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:288) at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:224) at com.liferay.portal.security.sso.openid.connect.internal.OpenIdConnectServiceHandlerImpl.validateToken(OpenIdConnectServiceHandlerImpl.java:652) ... 60 more Caused by: java.io.IOException: Server returned HTTP response code: 401 for URL: https://idcs-6e0f2608732d4331a407d4a5583257ab.identity.oraclecloud.com:443/admin/v1/SigningCert/jwk at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1919) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:250) at com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:249) at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:201) at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:165) ... 67 more
Resolution
The JWKS endpoint is protected by default in IDCS tenants. You can test it by
- Navigating to discovery document of your tenant: https://<tenant-base-url>/.well-known/openid-configuration
- Click on the "jwks_uri" from the response JSON (this will be the same URL as you see in the error): https://<tenant-base-url>/admin/v1/SigningCert/jwk
If you get HTTP 401, it means the endpoint is protected in your environment. OpenID Connect clients (like Liferay DXP) need to access this resource in order to load the server's signing certificate(s) to verify the IDToken received back with the authentication response.
To make the JWKS endpoint public:
- Login to your Oracle IDCS console
- Access the left navigation menu
- Go to Settings > Default Settings
- Under "Access Signing Certificate", switch the toggle to enable "Configure whether clients can access the signing certificate for the identity domain without logging in to Oracle Identity Cloud Service."
- Save
Reference
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión