Troubleshooting Deployment
note
Account Management API is now deprecated and we recommend that you use Account Management functionality built into Elastic Path Commerce 8.2 and later.
InvalidKeySpecException
Returned in Logs
Problem
The following exception returned in the log:
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DER input, Integer tag error
at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:217)
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
at com.elasticpath.am.appauth.service.impl.AppTokenServiceImpl.activate(AppTokenServiceImpl.java:76)
Cause
The JWT private key is not specified correctly.
Solution
Ensure the following:
- The private key is created properly and the key is an RS256 key encoded in PKCS #8 format that is formatted on a single line.
- The value of the environment variable is set on the Account Management API service.
Error creating configuration provider
Returned in Logs
Problem
Error messages appear in logs:
Error creating configuration provider, will retry in five seconds
java.io.FileNotFoundException: <SOME URL>
Cause
The Account Management service cannot retrieve the OpenID Connect Discovery document.
Solution
Ensure that the URL passed to the Account Management service is correct and accessible from the Account Management service.
This message might appear if the identity provider is temporarily unavailable. When the Account Management service connects again, if the error message disappears, ignore the message.
Users Receive an HTTP Error 400 When Logging In
Problem
After successfully logging into the identity provider, when clients make a request to the admin/oauth2/tokens
endpoint, HTTP 400 Error
is returned.
Cause
This error can occur for the following reasons:
- When Account Management detects an error with the parameters passed in the request.
- When the credentials, such as
AM_OIDC_CLIENT_ID
,AM_OIDC_CLIENT_SECRET
, given to the Account Management service are incorrect.
Solution
Ensure that:
- The client is passing all required parameters to the back-end.
- The identity provider is configured to use the
authorization_code
grant type OpenID Connect 1.0 -- Section 3.1.3.1. - The credentials given to the Account Management service are correct.
Users Receive an HTTP Error 403 When Logging In
Problem
After successfully logging into the identity provider, when clients make a request to the admin/oauth2/tokens
endpoint, HTTP 403 Error
is returned.
Cause
This error occurs when the Account Management service successfully validates that the user is logged in, but no role is assigned to the user.
Solution
Ensure that:
- The identity provider has assigned the role of an associate or a seller administrator to the user.
- The values
AM_OIDC_ID_TOKEN_SCOPE
,AM_OIDC_ID_TOKEN_GROUP_KEY
,AM_OIDC_ID_TOKEN_ASSOCIATE_GROUP_VALUE
, andAM_OIDC_ID_TOKEN_SELLER_USER_GROUP_VALUE
set on the Account Management API are correct.
If all users of a particular type get this error, check the configuration of either the Account Management parameters or the identity provider. If only a particular user gets this error, check the configuration of that user on the identity provider.
Users Receive an HTTP Error 409 When Logging In
Problem
After successfully logging into the identity provider, when clients make a request to the admin/oauth2/tokens
endpoint, HTTP 409 Error
is returned.
Cause
This error occurs when the Account Management service successfully validates that the user is logged in, but the email address used by the user is already in use in the Account Management service.
Solution
All users in the identity provider must have unique email addresses. Email addresses cannot be shared or reused among the users.
Users Receive an HTTP Error 500 When Logging In
Problem
After successfully logging into the identity provider, when clients make a request to the admin/oauth2/tokens
endpoint, HTTP 500 Error
is returned.
Solution
- Inspect the logs to determine more information about the cause of the error.
Users cannot authenticate and the logs do not have enough detail
Problem
After successfully logging into the identity provider, when clients make a request to the admin/oauth2/tokens
endpoint, an error is returned, but the logs do not contain enough information to debug.
Solution
- Set the
LOG_LEVEL_HTTP
environment variable toTRACE
and start the Account Management API service. - Analyze the HTTP request and response between the Account Management API service and the identity provider.
The HTTP details is on the lines that contain
java.util.logging.LoggingProxyImpl
andcom.elasticpath.am.auth.plugin.oidc.OidcClient
.
The Account Management service sends the following requests to the identity provider:
- A request to the token endpoint. For more information, see the 3.1.3 of the OpenID Connect Core specification section.
- A request to the UserInfo endpoint as described in the Section 5.3 of the OpenID Connect Core specification section.
The following example shows a successful HTTP request and response:
TRACE com.elasticpath.am.auth.plugin.oidc.OidcClient - HTTP Request Body:code=fbae7451-7330-4f72-9bbe-4553fa1c0796&redirect_uri=http%3A%2F%2Flocalhost%3A28080%2Fstudio%2F&grant_type=authorization_code
TRACE java.util.logging.LoggingProxyImpl - ProxySelector Request for http://localhost:28081/auth/realms/Commerce/protocol/openid-connect/token
TRACE java.util.logging.LoggingProxyImpl - Proxy used: DIRECT
DEBUG java.util.logging.LoggingProxyImpl - sun.net.www.MessageHeader@382025e10 pairs: {POST /auth/realms/Commerce/protocol/openid-connect/token HTTP/1.1: null}{Authorization: Basic xxxxxx }{Content-Type: application/x-www-form-urlencoded; charset=UTF-8}{Cache-Control: no-cache}{Pragma: no-cache}{User-Agent: Java/1.8.0_232}{Host: localhost:8081}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Content-Length: 200}
TRACE java.util.logging.LoggingProxyImpl - KeepAlive stream used: http://localhost:28081/auth/realms/Commerce/protocol/openid-connect/token
DEBUG java.util.logging.LoggingProxyImpl - sun.net.www.MessageHeader@75402d5b7 pairs: {null: HTTP/1.1 200 OK}{Connection: keep-alive}{Cache-Control: no-store}{Pragma: no-cache}{Content-Type: application/json}{Date: Tue, 04 Feb 2020 00:49:03 GMT}
TRACE com.elasticpath.am.auth.plugin.oidc.OidcClient - HTTP Response Body:{"access_token":"SlAV32hkKG","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg","not-before-policy":0,"session_state":"2f6faf72-735e-4eaf-8863-27ada73b9ba5","scope":"openid profile email"}
TRACE com.elasticpath.am.auth.plugin.oidc.OidcClient - HTTP Request Body:null
TRACE java.util.logging.LoggingProxyImpl - ProxySelector Request for http://localhost:28081/auth/realms/Commerce/protocol/openid-connect/userinfo
TRACE java.util.logging.LoggingProxyImpl - KeepAlive stream retrieved from the cache, sun.net.www.http.HttpClient(http://localhost:28081/auth/realms/Commerce/protocol/openid-connect/token)
TRACE java.util.logging.LoggingProxyImpl - Proxy used: DIRECT
DEBUG java.util.logging.LoggingProxyImpl - sun.net.www.MessageHeader@22e0c57d8 pairs: {GET /auth/realms/Commerce/protocol/openid-connect/userinfo HTTP/1.1: null}{Authorization: Bearer SlAV32hkKG}{Cache-Control: no-cache}{Pragma: no-cache}{User-Agent: Java/1.8.0_232}{Host: localhost:28081}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
TRACE java.util.logging.LoggingProxyImpl - KeepAlive stream used: http://localhost:28081/auth/realms/Commerce/protocol/openid-connect/userinfo
DEBUG java.util.logging.LoggingProxyImpl - sun.net.www.MessageHeader@1956d8f36 pairs: {null: HTTP/1.1 200 OK}{Connection: keep-alive}{Cache-Control: no-cache}{Content-Type: application/json}{Content-Length: 288}{Date: Tue, 04 Feb 2020 00:49:03 GMT}
TRACE com.elasticpath.am.auth.plugin.oidc.OidcClient - HTTP Response Body:{"sub":"667247ae-4139-411f-a5a8-917071257399","email_verified":false,"roles":["offline_access","seller-users","uma_authorization"],"name":"Seller Admin","preferred_username":"seller.admin@example.com","given_name":"Seller","family_name":"Admin","email":"seller.admin@example.com"}
The following example shows an issue with the client credentials that is indicated by the identity provider:
TRACE com.elasticpath.am.auth.plugin.oidc.OidcClient - HTTP Request Body:code=fbae7451-7330-4f72-9bbe-4553fa1c0796&redirect_uri=http%3A%2F%2Flocalhost%3A28080%2Fstudio%2F&grant_type=authorization_code
TRACE java.util.logging.LoggingProxyImpl - ProxySelector Request for http://localhost:28081/auth/realms/Commerce/protocol/openid-connect/token
TRACE java.util.logging.LoggingProxyImpl - Proxy used: DIRECT
DEBUG java.util.logging.LoggingProxyImpl - sun.net.www.MessageHeader@6e14eef610 pairs: {POST /auth/realms/Commerce/protocol/openid-connect/token HTTP/1.1: null}{Authorization: Basic xxxxxx}{Content-Type: application/x-www-form-urlencoded; charset=UTF-8}{Cache-Control: no-cache}{Pragma: no-cache}{User-Agent: Java/1.8.0_232}{Host: localhost:28081}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Content-Length: 200}
TRACE java.util.logging.LoggingProxyImpl - KeepAlive stream used: http://localhost:28081/auth/realms/Commerce/protocol/openid-connect/token
DEBUG java.util.logging.LoggingProxyImpl - sun.net.www.MessageHeader@822b8227 pairs: {null: HTTP/1.1 400 Bad Request}{Connection: keep-alive}{Cache-Control: no-store}{Pragma: no-cache}{Content-Type: application/json}{Date: Tue, 04 Feb 2020 00:10:43 GMT}
TRACE com.elasticpath.am.auth.plugin.oidc.OidcClient - HTTP Response Body:{"error":"unauthorized_client","error_description":"INVALID_CREDENTIALS: Invalid client credentials"}
Not enough details in the Account Management API logs
Problem
Account Management API and the logs do not have enough details about errors.
Solution
Use the following environment variables to control the log level output of various components of the Account Management API:
Parameter | Logger Prefix Matched |
---|---|
LOG_LEVEL_APACHE | org.apache |
LOG_LEVEL_EP | com.elasticpath |
LOG_LEVEL_FELIX | org.apache.felix |
LOG_LEVEL_GEMINI | org.eclipse.gemini |
LOG_LEVEL_HTTP | sun.net.www.protocol.http , com.elasticpath.am.auth.plugin.oidc.OidcClient |
LOG_LEVEL_OPENJPA | openjpa |
LOG_LEVEL_ROOT | All other loggers |
LOG_LEVEL_SPRING | org.springframework |
Each line in the log has a class name, such as com.elasticpath.am.auth.plugin.oidc.OidcClient, and the environment variables can control logs with certain prefixes. You can set the variables to one of the following values:
OFF
ERROR
WARN
INFO
DEBUG
TRACE
ALL
Too much detail in the Account Management API logs
Problem
The logs contains unwanted details and data and is affecting performance or observability.
Solution
- Change the environment variables as described in the Not enough details in the Account Management API logs section.
- Find the lines to remove and adjust the logger that matches the prefix.