CWOAU0061E: Unable to log in to IBM Cloud Pak foundational services console

The service provider cannot find the client because the client name is invalid. This restricts you to log in to the IBM Cloud Paks console.

Symptoms

The following error comes into view:

CWOAU0061E: The OAuth service provider could not find the client because the client name is not valid. Contact your system administrator to resolve the problem.

Cause

The Common Services platform generates the client or secret ID automatically. If the client ID is invalid:

Diagnosing the problem

To diagnose the probelem:

  1. Check the client description.

    getallclients.sh
    
    export MGDIR=cp-client-MG-$(date '+%y%b%dT%H-%M-%S')
    mkdir -p $MGDIR
    oc get clients -A > $MGDIR/allclinets.txt
    oc get clients -A --no-headers | awk '{print "mkdir -p $MGDIR/"$1 "     \
       && oc describe clients "$2" -n "$1"  > $MGDIR/"$1"/"$2"_desc.yaml    \
       &&  oc get clients "$2" -n "$1" -o yaml  > $MGDIR/"$1"/"$2"_get.yaml \
       && echo gathered client description of "$2" under Namespace_"$1}'  | bash
    

    The possible errors in the client are as follows:

    vents:
      Type     Reason           Age                     From                    Message
      ----     ------           ----                    ----                    -------
      Warning  GetClientFailed  6m28s (x2482 over 27d)  controller_oidc_client  {"error_description":"CWWKS1424E: The client id 74lobtucg32v6d98qbq0ui64442zg10o was not found.","error":"invalid_client"}
    
  2. Ensure that the client description is correct.

    spec:
      clientId: ""
      oidcLibertyClient:
        post_logout_redirect_uris:
        - https://eip-cp4i-assets-ibm-ar-eip-cp4i-test.eip-cp4i-ocp2-test-0d54270174f0e3b4f940106d6a55e2eb-0000.ca-tor.containers.appdomain.cloud/auth/logout
        redirect_uris:
        - https://eip-cp4i-assets-ibm-ar-eip-cp4i-test.eip-cp4i-ocp2-test-0d54270174f0e3b4f940106d6a55e2eb-0000.ca-tor.containers.appdomain.cloud/auth/callback
        trusted_uri_prefixes:
        - https://eip-cp4i-assets-ibm-ar-eip-cp4i-test.eip-cp4i-ocp2-test-0d54270174f0e3b4f940106d6a55e2eb-0000.ca-tor.containers.appdomain.cloud
    secret: eip-cp4i-assets-ibm-integration-asset-repository-oidc-client
    

    The client ID with its corresponding secrets is available in the client yaml. You can confirm whether the clients are available in the backend using GET API.

Testing the client available in the backend

Replace the Client_ID in the following script.

export CLIENT_ID=<client_id>
export OAUTH2_CLIENT_REGISTRATION_SECRET=$(oc -n ibm-common-services get secret platform-oidc-credentials -o "jsonpath={.data['OAUTH2_CLIENT_REGISTRATION_SECRET']}" | xargs -r0 |base64 -d)
curl -k -X GET -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET https://<cp-console URL>/idauth/oidc/endpoint/OP/registration/$CLIENT_ID

If the output is in the JSON format with the client ID, the client has no issue. If the CWWKS1424E error comes into view, there is an issue with the client ID in the backend.

Resolving the problem

To resolve the issue, back up and delete the client ID:

  1. Back up the client_id.

    oc get client <enter your client_name> -o yaml > <client_name>.yaml.bk
    
  2. Delete the client_id.

    oc delete client <enter your client_name>
    
  3. Back up the IAM jobs.

    oc get job iam-config-job -o yaml > iam-config-job.yaml
    
    cp iam-config-job.yaml iam-config-job.yaml.bk
    
  4. Edit iam-config-job.yaml file.

    vi iam-config-job.yaml
    

    Find the controlller-UID and delete the complete lines with controller-uid: xxxxxxx.

    Note: Ensure that you delete all the lines with controller-uid: xxxxxxx.

  5. Delete the IAM jobs and create it again.

    oc delete job iam-config-job
    
    oc apply -f iam-config-job.yaml
    
  6. Wait for some time. Ensure that the IAM job is completed and client_id is created.

    oc get job iam-config-job
    

    The status must show as Completed.

    oc get client <enter your client_name>
    
  7. Restart the usermgmt and zen-audit pods in the Zen namespace to update the console with the new client ID.

    1. Get the usermgmt and zen-audit pod names.

      oc get pods |grep usermgmt
      
      oc get pods |grep zen-audit
      
    2. Delete the usermgmt and zen-audit pods.

      oc delete pod <usermgmt-pod-name>
      
      oc delete pod <zen-audit-pod-name>
      
  8. Restart the platform-auth pods.

    1. Get the platform-auth pod name.

      oc get pods |grep platform-auth
      
    2. Delete the platform-auth pod.

      oc delete pod <platform-auth-pod-name>