Layer7 API Management

  • Private Community

  • 1.  '+' symbol in username failing in OTK authentication

    Posted Sep 06, 2018 03:08 PM

    Usernames having '+' symbol are failing while trying OAuth Authentication retrieving access_token.

    OTK verision -4.1

    Grant type - Password

    Sample User name- "myuser+_12_43@maildomain.cc

    Authentication failure Error message below.

    {

        "error": "invalid_request",

        "error_description": "The resource owner could not be authenticated due to missing or invalid credentials"

    }

    Please share details regarding fix/workaround for the above scenario.



  • 2.  Re: '+' symbol in username failing in OTK authentication

    Broadcom Employee
    Posted Sep 06, 2018 04:06 PM

    Hi Vijay,

     

    How was this user created, LDAP, Internal IDP, etc? I noticed with the internal IDP it prevents a user from being created with the + symbol as part of the user name. The error "Contains characters that interfere with automatic certificate management" is thrown.

     

    Regards,

    Joe



  • 3.  Re: '+' symbol in username failing in OTK authentication

    Posted Sep 06, 2018 04:49 PM

    Hi Joe,

    Thank you for your response.

    The user was created in eDirectory Identity provider. We are sending an access token request (Password grant type) and facing the failure as mentioned earlier while generating the token.

    Fyi- this user was successfully authenticated against the directory.

     

    Also, the error message "The resource owner could not be authenticated due to missing or invalid credentials" describes missing or invalid credentials.

     

    Could you please provide on what cases we receive invalid credentials error. Also what are the valid cases during which the Token gets generated successfully.

     

    Thank you.

    Vijay. 



  • 4.  Re: '+' symbol in username failing in OTK authentication

    Broadcom Employee
    Posted Sep 06, 2018 05:26 PM

    Thank you for clarifying. The error is usually the result of one of the below:

     

    1. The username or password is incorrect
    2. You are not authenticating against the correct identity provider.
    3. Your account has been disabled/locked out

     

    Do you see any errors in the SSG log on the Gateway when authenticating this user?

    Is this user able to login to policy manager?

     

    Just to confirm OTK is working correctly, can you test with a resource owner that does not have a "+" as part of the user name? The expect response will be an access token:

     

    i.e:

    {   "access_token":"ffe4a4ea7-3aa4-442b-bb75-eae3721ab183",   "token_type":"Bearer",   "expires_in":3600,   "scope":"oob" }

    Regards,
    Joe


  • 5.  Re: '+' symbol in username failing in OTK authentication

    Posted Sep 06, 2018 06:06 PM

    Thank you again Joe. Please see the answers below.

     

    Do you see any errors in the SSG log on the Gateway when authenticating this user?

    Below is the log message we see in the Policy Manager.

    "Failed 401- Retrieve access_token"

     

    Is this user able to login to policy manager?

    We are not sure if the user has gateway access role provisioned to access the Policy manager.

     

    OTK is working fine for users who do not have a "+" symbol on the name.

     

    Regards,

    Vijay.



  • 6.  Re: '+' symbol in username failing in OTK authentication
    Best Answer

    Posted Sep 11, 2018 11:10 AM

    We had to handle the issue by translating the ASCII value of '+' symbol and storing in the OTK database.

    Not sure if that is the right approach. Please let us know if you have any thoughts on this or alternate approaches if any.

     

    Thank you.

    Vijay.