Troubleshooting
Problem
Please note that, there is a significant change in the DataPower code (for handing scope validation for a Third-party OAuth Provider) from the following DataPower versions: 10.5.0.6, 10.5.1.x, 10.0.1.14 and onward.
Current behavior:
When you configure a third-party OAuth Provider, we don’t perform any scope validations from the Introspection endpoint response even if it is returning scopes.
Symptom
With these new changes being in place, whenever clients are upgrading DataPower to the above versions or later, they might experience an error for the existing API calls (Protected by a third-party OAuth), depending on how this has been configured.
The error message might look like this:
{"httpCode":"401","httpMessage":"Unauthorized","moreInformation":"Cannot pass the security checks that are required by the target API or operation, Enable debug headers for more details."}
{"httpCode":"401","httpMessage":"Unauthorized","moreInformation":"Cannot pass the security checks that are required by the target API or operation, Enable debug headers for more details."}
If you have enabled a debug header in the OAuth Provider settings and passing it in the request: “apim-debug:true”, you might be able to see additional debug messages being returned in the response like below:
< X-APIC-Debug-OAuth-Error: access_denied
< X-APIC-Debug-OAuth-Error-Desc: Scope is not allowed
< WWW-Authenticate: Bearer error='invalid_token'
< X-APIC-Debug-OAuth-Error: access_denied
< X-APIC-Debug-OAuth-Error-Desc: Scope is not allowed
< WWW-Authenticate: Bearer error='invalid_token'
Cause
It's a change in the gateway side to handle scopes for a Third-party OAuth provider.
Resolving The Problem
Please check and make sure your introspection endpoint response and configuration requirement matches one of the following:
Introspection endpoint doesn’t return a scope:
Please make sure, you have one of the following settings:
- There is no scope configured in the consumer/REST API and there is no Advance scope enabled in the OAuth Provider settings. Or
- There is no scope configured in the consumer/REST API and Advance scope validation is also configured. The success/failure will happen based on Advanced scope validation. Or
- There is scope configured in the consumer/REST API and Advance scope validation is also configured. The success/failure will happen based on Advanced scope validation.
Introspection endpoint returns a scope:
- There is no scope configured in the consumer/REST API and there is no Advance scope enabled in the OAuth Provider settings. Or
- In any other combinations, success/failure will depend on the response scope from introspect & advance scope validation or either or.
Introspection endpoint doesn’t return a scope:
Please make sure, you have one of the following settings:
- There is no scope configured in the consumer/REST API and there is no Advance scope enabled in the OAuth Provider settings. Or
- There is no scope configured in the consumer/REST API and Advance scope validation is also configured. The success/failure will happen based on Advanced scope validation. Or
- There is scope configured in the consumer/REST API and Advance scope validation is also configured. The success/failure will happen based on Advanced scope validation.
Introspection endpoint returns a scope:
- There is no scope configured in the consumer/REST API and there is no Advance scope enabled in the OAuth Provider settings. Or
- In any other combinations, success/failure will depend on the response scope from introspect & advance scope validation or either or.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"ARM Category":[{"code":"a8m50000000L0rvAAC","label":"API Connect"}],"ARM Case Number":"TS013804039","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
IBM API Connect & DataPower Gateways
Was this topic helpful?
Document Information
Modified date:
18 August 2023
UID
ibm17027794