Troubleshooting Deployment
note
Account Management API is now deprecated and we recommend that you use Account Management functionality built into Elastic Path Commerce 8.2 and later.
InvalidKeySpecException Returned in Logs
Problem
The following exception returned in the log:
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DER input, Integer tag error
at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
at com.elasticpath.am.appauth.service.impl.AppTokenServiceImpl.activate(AppTokenServiceImpl.java:76)
Cause
The JWT private key is not specified correctly.
Solution
Ensure the following:
- The private key is created properly and the key is an RS256 key encoded in PKCS #8 format that is formatted on a single line.
- The value of the environment variable is set on the Account Management API service.
Error creating configuration provider Returned in Logs
Problem
Error messages appear in logs:
Error creating configuration provider, will retry in five seconds
java.io.FileNotFoundException: <SOME URL>
Cause
The Account Management service cannot retrieve the OpenID Connect Discovery document.
Solution
Ensure that the URL passed to the Account Management service is correct and accessible from the Account Management service.
This message might appear if the identity provider is temporarily unavailable. When the Account Management service connects again, if the error message disappears, ignore the message.
Users Receive an HTTP Error 400 When Logging In
Problem
After successfully logging into the identity provider, when clients make a request to the admin/oauth2/tokens endpoint, HTTP 400 Error is returned.
Cause
This error can occur for the following reasons:
- When Account Management detects an error with the parameters passed in the request.
- When the credentials, such as
AM_OIDC_CLIENT_ID,AM_OIDC_CLIENT_SECRET, given to the Account Management service are incorrect.
Solution
Ensure that:
- The client is passing all required parameters to the back-end.
- The identity provider is configured to use the
authorization_codegrant type OpenID Connect 1.0 -- Section 3.1.3.1. - The credentials given to the Account Management service are correct.
Users Receive an HTTP Error 403 When Logging In
Problem
After successfully logging into the identity provider, when clients make a request to the admin/oauth2/tokens endpoint, HTTP 403 Error is returned.
Cause
This error occurs when the Account Management service successfully validates that the user is logged in, but no role is assigned to the user.
Solution
Ensure that:
- The identity provider has assigned the role of an associate or a seller administrator to the user.
- The values
AM_OIDC_ID_TOKEN_SCOPE,AM_OIDC_ID_TOKEN_GROUP_KEY,AM_OIDC_ID_TOKEN_ASSOCIATE_GROUP_VALUE, andAM_OIDC_ID_TOKEN_SELLER_USER_GROUP_VALUEset on the Account Management API are correct.
If all users of a particular type get this error, check the configuration of either the Account Management parameters or the identity provider. If only a particular user gets this error, check the configuration of that user on the identity provider.
Users Receive an HTTP Error 409 When Logging In
Problem
After successfully logging into the identity provider, when clients make a request to the admin/oauth2/tokens endpoint, HTTP 409 Error is returned.
Cause
This error occurs when the Account Management service successfully validates that the user is logged in, but the email address used by the user is already in use in the Account Management service.
Solution
All users in the identity provider must have unique email addresses. Email addresses cannot be shared or reused among the users.
Users Receive an HTTP Error 500 When Logging In
Problem
After successfully logging into the identity provider, when clients make a request to the admin/oauth2/tokens endpoint, HTTP 500 Error is returned.
Solution
- Inspect the logs to determine more information about the cause of the error.