Error: The service may be disabled or an invalid request was made to an active service. Please contact your system administrator. (An invalid OAuth2 request was received.)

  • Document ID:7023681
  • Creation Date:28-Jan-2019
  • Modified Date:07-Feb-2019
    • Micro Focus Products:
      Identity Governance (Access Review)

Environment


Identity Governance (Access Review) 3.0
Identity Governance (Access Review) 3.5

Situation

After starting Identity Governance and trying to load Identity Governance in a browser you see the following message:
"Error: The service may be disabled or an invalid request was made to an active service. Please contact your system administrator. (An invalid OAuth2 request was received.)"



In checking the catalina logs (catatlina.out and catalina.current_timestamp.log) in the /tomcat/logs directory the start-up of tomcat was clean (meaning without error).
However when checking the osp-idm.current_timestamp.log in the /tomcat/logs directory you see the following error:
Preamble: [OIDP]
Priority Level: SEVERE
Java: internal.osp.oidp.service.oauth2.handler.RequestHandler.respondWithPageError() [582] thread=https-jsse-nio-8543-exec-1
Time: 2019-01-25T00:37:11.940-0500
Log Data: Code: internal.osp.oidp.service.oauth2.handler.HandlerException.<init>() [183]
Text: Client-supplied redirect URI is not registered: http://mysever:8080/oauth.html

***if using https your message would be the same as above however the URI address would be similar to: https://mysever:8443/oauth.html

Please note: 
The same can occur in cases of IG and local OSP, as well as IG and OSP installed remotely or integrated using OSP from the IDM server. 

 






Resolution

This behavior is caused by having an incorrect entry for the OSP redirect URL in configutil and configupdate. 

To fix this behavior:

1- Stop tomcat

2- Clear all of the logs out of the /tomcat/logs directory

3- Delete the localhost folder in tomcat/work/Catalina directory

4- Run the "configutil" utility

5- In configutil on the Authentication Server Details tab enter the correct redirect osp redirect  URL. 

It should be:

%protocol%://%server%:%port%/oauth.html


Normally when this is seen it is because someone has:

%protocol%://%server%:%port%/com.netiq.iac.index/oauth.html or some other incorrect URL

6- Save the change and close configutil

7- Run configupdate utility

8- On the IG SSO Client tab enter the correct URL for the osp redirect URL (the same one that was specified in configutil step 5) 

***note to be able to save an close configupdate you will also need to include the OAuth Client secret 

9 - Start Tomcat

10 - Open a new Private browser or clear all cache and cookies from your browser.  Then test

Cause

As mentioned this error is usually seen when using an incorrect osp redirect URL. 

This also means if there is an mismatch in the case or you are missing the port number.

Per the OAuth Spec.

- You must include the port number

- You should also use matching case

Even if you try to use all upper case in your browser, the browser will lower case the domain.  Anything after the port in the URL is case sensitive.

For example: 

If you are using http://myserver:8080/oauth.html in your browser however you have configured them in configupdate and configutil as http://MyServer:8080/oauth.html the URI will not match.