CWOAU0061E: Unable to log in to IBM Cloud Pak foundational services console
The service provider cannot find the client because the client name is invalid. This restricts you to log in to the IBM Cloud Paks console.
Symptoms
The following error comes into view:
CWOAU0061E: The OAuth service provider could not find the client because the client name is not valid. Contact your system administrator to resolve the problem.
Cause
The Common Services platform generates the client or secret ID automatically. If the client ID is invalid:
- The OpenID Connect (OIDC) secret is updated with a new client or secret ID and the new values are not pulled to the Event Streams.
- The client ID is invalid, and the secret of Event Streams is not updated with a new valid client ID.
- Common Services operator need to be installed again.
Diagnosing the problem
To diagnose the problem:
-
Check the client description.
getallclients.sh
export MGDIR=cp-client-MG-$(date '+%y%b%dT%H-%M-%S') mkdir -p $MGDIR oc get clients -A > $MGDIR/allclinets.txt oc get clients -A --no-headers | awk '{print "mkdir -p $MGDIR/"$1 " \ && oc describe clients "$2" -n "$1" > $MGDIR/"$1"/"$2"_desc.yaml \ && oc get clients "$2" -n "$1" -o yaml > $MGDIR/"$1"/"$2"_get.yaml \ && echo gathered client description of "$2" under Namespace_"$1}' | bash
The possible errors in the client are as follows:
vents: Type Reason Age From Message ---- ------ ---- ---- ------- Warning GetClientFailed 6m28s (x2482 over 27d) controller_oidc_client {"error_description":"CWWKS1424E: The client id 74lobtucg32v6d98qbq0ui64442zg10o was not found.","error":"invalid_client"}
-
Ensure that the client description is correct.
spec: clientId: "" oidcLibertyClient: post_logout_redirect_uris: - https://eip-cp4i-assets-ibm-ar-eip-cp4i-test.eip-cp4i-ocp2-test-0d54270174f0e3b4f940106d6a55e2eb-0000.ca-tor.containers.appdomain.cloud/auth/logout redirect_uris: - https://eip-cp4i-assets-ibm-ar-eip-cp4i-test.eip-cp4i-ocp2-test-0d54270174f0e3b4f940106d6a55e2eb-0000.ca-tor.containers.appdomain.cloud/auth/callback trusted_uri_prefixes: - https://eip-cp4i-assets-ibm-ar-eip-cp4i-test.eip-cp4i-ocp2-test-0d54270174f0e3b4f940106d6a55e2eb-0000.ca-tor.containers.appdomain.cloud secret: eip-cp4i-assets-ibm-integration-asset-repository-oidc-client
The client ID with its corresponding secrets is available in the client yaml. You can confirm whether the clients are available in the backend using GET API.
Testing the client available in the backend
Replace the Client_ID in the following script.
export CLIENT_ID=<client_id>
export OAUTH2_CLIENT_REGISTRATION_SECRET=$(oc -n ibm-common-services get secret platform-oidc-credentials -o "jsonpath={.data['OAUTH2_CLIENT_REGISTRATION_SECRET']}" | xargs -r0 |base64 -d)
curl -k -X GET -u oauthadmin:$OAUTH2_CLIENT_REGISTRATION_SECRET https://<cp-console URL>/idauth/oidc/endpoint/OP/registration/$CLIENT_ID
If the output is in the JSON format with the client ID, the client has no issue. If the CWWKS1424E error comes into view, there is an issue with the client ID in the backend.
Resolving the problem
To resolve the issue, back up and delete the client ID:
-
Back up the
client_id
.oc get client <enter your client_name> -o yaml > <client_name>.yaml.bk
-
Delete the
client_id
.oc delete client <enter your client_name>
-
Back up the IAM jobs.
oc get job iam-config-job -o yaml > iam-config-job.yaml
cp iam-config-job.yaml iam-config-job.yaml.bk
-
Edit
iam-config-job.yaml
file.vi iam-config-job.yaml
Find the controlller-UID and delete the complete lines with
controller-uid: xxxxxxx
.Note: Ensure that you delete all the lines with
controller-uid: xxxxxxx
. -
Delete the IAM jobs and create it again.
oc delete job iam-config-job
oc apply -f iam-config-job.yaml
-
Wait for some time. Ensure that the IAM job is completed and
client_id
is created.oc get job iam-config-job
The status must show as
Completed
.oc get client <enter your client_name>
-
Restart the
usermgmt
andzen-audit
pods in theZen
namespace to update the console with the new client ID.-
Get the
usermgmt
andzen-audit
pod names.oc get pods |grep usermgmt
oc get pods |grep zen-audit
-
Delete the
usermgmt
andzen-audit
pods.oc delete pod <usermgmt-pod-name>
oc delete pod <zen-audit-pod-name>
-
-
Restart the
platform-auth
pods.-
Get the
platform-auth
pod name.oc get pods |grep platform-auth
-
Delete the
platform-auth
pod.oc delete pod <platform-auth-pod-name>
-