CWOAU0061E: Unable to log in to IBM Cloud Pak foundational services console

The service provider cannot find the client because the client name is invalid. This restricts you to log in to the IBM Cloud Paks console.


The following error comes into view:

CWOAU0061E: The OAuth service provider could not find the client because the client name is not valid. Contact your system administrator to resolve the problem.


The Common Services platform generates the client or secret ID automatically. If the client ID is invalid:

Diagnosing the problem

To diagnose the probelem:

  1. Check the client description.
    export MGDIR=cp-client-MG-$(date '+%y%b%dT%H-%M-%S')
    mkdir -p $MGDIR
    oc get clients -A > $MGDIR/allclinets.txt
    oc get clients -A --no-headers | awk '{print "mkdir -p $MGDIR/"$1 "     \
       && oc describe clients "$2" -n "$1"  > $MGDIR/"$1"/"$2"_desc.yaml    \
       &&  oc get clients "$2" -n "$1" -o yaml  > $MGDIR/"$1"/"$2"_get.yaml \
       && echo gathered client description of "$2" under Namespace_"$1}'  | bash

    The possible errors in the client are as follows:

      Type     Reason           Age                     From                    Message
      ----     ------           ----                    ----                    -------
      Warning  GetClientFailed  6m28s (x2482 over 27d)  controller_oidc_client  {"error_description":"CWWKS1424E: The client id 74lobtucg32v6d98qbq0ui64442zg10o was not found.","error":"invalid_client"}
  2. Ensure that the client description is correct.

      clientId: ""
    secret: eip-cp4i-assets-ibm-integration-asset-repository-oidc-client

    The client ID with its corresponding secrets is available in the client yaml. You can confirm whether the clients are available in the backend using GET API.

Testing the client available in the backend

Replace the Client_ID in the following script.

export CLIENT_ID=<client_id>
export OAUTH2_CLIENT_REGISTRATION_SECRET=$(oc -n ibm-common-services get secret platform-oidc-credentials -o "jsonpath={.data['OAUTH2_CLIENT_REGISTRATION_SECRET']}" | xargs -r0 |base64 -d)
curl -k -X GET -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET https://<cp-console URL>/idauth/oidc/endpoint/OP/registration/$CLIENT_ID

If the output is in the JSON format with the client ID, the client has no issue. If the CWWKS1424E error comes into view, there is an issue with the client ID in the backend.

Resolving the problem

To resolve the issue, back up and delete the client ID:

  1. Back up the client_id.

    oc get client <enter your client_name> -o yaml > <client_name>.yaml.bk
  2. Delete the client_id.

    oc delete client <enter your client_name>
  3. Back up the IAM jobs.

    oc get job iam-config-job -o yaml > iam-config-job.yaml
    cp iam-config-job.yaml iam-config-job.yaml.bk
  4. Edit iam-config-job.yaml file.

    vi iam-config-job.yaml

    Find the controlller-UID and delete the complete lines with controller-uid: xxxxxxx.

    Note: Ensure that you delete all the lines with controller-uid: xxxxxxx.

  5. Delete the IAM jobs and create it again.

    oc delete job iam-config-job
    oc apply -f iam-config-job.yaml
  6. Wait for some time. Ensure that the IAM job is completed and client_id is created.

    oc get job iam-config-job

    The status must show as Completed.

    oc get client <enter your client_name>
  7. Restart the dependent pods to update the console with the new client ID.