IBM Support

PH48874: REST API PUT REQUEST ON /API/V1/SESSION USING IBMID OIDC THROWS ERROR "AAA-OIDC-0009 THE PROVIDED CREDENTIALS ARE INVALID."

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as documentation error.

Error description

  • Perform a REST API connection PUT request on /api/v1/session
request from a Cognos Analytics 11.2.x on Cloud instance by
authenticating to IBMId OIDC throws error "AAA-OIDC-0009 The
provided credentials are invalid."

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* 1                                                            *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* In 11.2.3 and earlier logon via the session endpoint         *
* requires the use of non interactive credentials. If the      *
* authentication provider does not support those then logon is *
* not possible. IBMId no longer supports Resource Owner        *
* Password Credentials (ROPC) grants, so it is not possible to *
* logon to that namespace type via the REST API.  This is the  *
* same behavior as OKTA or AzureAD with ROPC disabled.         *
*                                                              *
* In 11.2.4 we added API Key authentication so the rest API is *
* no longer affected by the IBMId limitation. However the api  *
* key uses the "scheduling credential" (Trusted Credentials)   *
* I.e the same credentials that are used to run schedules, so  *
* it is still dependent on namespace configuration, but should *
* support more use cases.                                      *
* https://developer.ibm.com/apis/catalog/cognosanalytics--cogn *
* os-analytics-rest-api/Getting%20Started                      *
*                                                              *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

    



Problem conclusion


    

  •  IBMId no longer supports Resource Owner Password Credentials
(ROPC) grants, so it is not possible to logon to that namespace
type via the REST API.
In 11.2.4 we added API Key authentication so the rest API is no
longer affected by the IBMId limitation.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH48874
    • 

  • Reported component name
    COG ADMINISTRAT
    • 

  • Reported component ID
    5724W12AD
    • 

  • Reported release
    B09
    • 

  • Status
    CLOSED  DOC
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-08-23
    • 

  • Closed date
    2023-02-26
    • 

  • Last modified date
    2023-02-26
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTSF6","label":"Cognos Analytics"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B09","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            27 February 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback