com.ibm.ws.security.oauth20.resources.ProviderMsgs

CWOAU0001I: Initializing OAuth 20 providers.

Explanation

Initialization of the OAuth modules has started.

Action

None, informational only.

CWOAU0002I: OAuth TAI enabled successfully.

Explanation

Enablement of the OAuth TAI completed successfully.

Action

None, informational only.

CWOAU0003I: OAuth Provider created successfully.

Explanation

Creation of the OAuth provider completed successfully.

Action

None, informational only.

CWOAU0004E: Error: admin commands must run in connected mode to a started server.

Explanation

OAuth administration commands require a running server environment to modify settings.

Action

Start the server or deployment manager and try again.

CWOAU0005I: OAuth Provider deleted successfully.

Explanation

Deletion of the OAuth provider completed successfully.

Action

None, informational only.

CWOAU0006E: Filename already exists.

Explanation

The specified filename must not exist.

Action

Specify a new file name.

CWOAU0007E: OAuth provider not found.

Explanation

The specified OAuth provider does not exist.

Action

Check the OAuth provider name and try again.

CWOAU0008I: Configuration successfully written to {0}

Explanation

The command has completed successfully.

Action

None, informational only.

CWOAU0009E: File not found: {0}

Explanation

The specified file name does not exist.

Action

Check the file name and try again.

CWOAU0010I: Configuration imported successfully.

Explanation

The command has completed successfully.

Action

None, informational only.

CWOAU0011I: OAuth20MBean processing command {0}.

Explanation

The OAuth MBean on this node has been invoked to run a command.

Action

None, informational only.

CWOAU0012E: Error initializing OAuth framework

Explanation

The OAuth framework failed to initialize.

Action

Refer to the exception details for further information.

CWOAU0013I: OAuth20ClientMBean processing command {0}.

Explanation

The OAuth MBean on this node has been invoked to run a command.

Action

None, informational only.

CWOAU0014E: No OAuth Client MBeans found, in-memory client table operations will fail.

Explanation

A configuration error has retrieved registration or lookup of MBeans of type OAuth20ClientMBean.

Action

Refer to the MBean registration trace logs for further details.

CWOAU0015E: Failed to delete the client with id = {0}.

Explanation

The client provider failed to delete the specified client because of an internal error.

Action

None, informational only.

CWOAU0016E: Failed to update the client with id = {0}.

Explanation

The client provider failed to update the specified client because of an internal error.

Action

None, informational only.

CWOAU0017E: Failed to create the client.

Explanation

The client provider failed to create a new client because of an internal error.

Action

None, informational only.

CWOAU0018E: Cannot get request dispatcher specified by configuration {0} at context={1} path={2}.

Explanation

The OAuth20 endpoint servlet cannot find the specified request dispatcher to render the template.

Action

Double check the configuration parameter and make sure the specified context root and path exist.

CWOAU0019E: You are not authorized to access this protected resource.

Explanation

The username parameter in the OAuth request was either not specified or was a null string.

Action

Specify a valid username parameter in the OAuth request.

CWOAU0020E: The authorization code {0} does not belong to the client attempting to use it: {1}.

Explanation

The client_id parameter specified in the OAuth request does not match the client ID value in the authorization code. These values should match. One reason for this error is that that the client_id parameter in the OAuth request was modified during the OAuth flow.

Action

Make sure the value of the client_id parameter in the OAuth request is the same client ID value that was used when obtaining the authorization code.

CWOAU0021E: The parameter [{0}] contains an illegally formatted value: [{1}].

Explanation

The value of scope parameter in the OAuth request is not valid. The scope parameter must only contain the following hexidecimal characters: [x21, x(23 through 5B), x(5D through 7E)]

Action

Make sure the scope parameter only contains characters that are supported.

CWOAU0022E: The following OAuth parameter was provided more than once in the request: {0}

Explanation

The same parameter was specified multiple times in the OAuth request.

Action

Double check the parameter in the OAuth request and make sure it is specified only once.

CWOAU0023E: The OAuth service provider could not find the client {0}.

Explanation

The OAuth service provider could not find the client specified in the value of the client_id parameter in the OAuth request.

Action

Make sure the client is registered with the OAuth service provider or specify a registered client for the client_id parameter value. Also, ensure that the client is enabled in the OAuth service provider configuration.

CWOAU0024E: The OAuth client {0} presented an invalid client secret in the OAuth request.

Explanation

The value of client_secret parameter in the OAuth request was not valid.

Action

Check the value of the client_secret parameter in the OAuth request and make sure it matches the client secret value of the registered client in the OAuth service provider configuration.

CWOAU0025E: The grant_type parameter was invalid: {0}

Explanation

The value of the grant_type parameter in the OAuth request is not valid.

Action

Make sure the value of the grant_type parameter in the OAuth request is from one of the following values: authorization_code, password, client_credentials, refresh_token, implicit, urn:ietf:params:oauth:grant-type:jwt-bearer

CWOAU0026E: The redirect URI parameter was invalid: {0}

Explanation

The value of the redirect URI parameter in the OAuth request may not be a valid absolute URI.

Action

Make sure the value of the redirect URI parameter in the OAuth request is a valid absolute URI value.

CWOAU0027E: The response_type parameter was invalid: {0}

Explanation

The value of the response_type parameter in the OAuth request is not valid.

Action

Check the value of the response_type parameter in the OAuth request and make sure it contains one of the following values: code, token.

CWOAU0028E: The requested scope: [{0}] exceeds the scope granted by the resource owner: [{1}].

Explanation

The value of the scope parameter in the OAuth request cannot be broader than the scope approved for the client.

Action

Check the value of the scope parameter in the OAuth request and make sure it is equal to or a subset of the scope that was approved by the resource owner.

CWOAU0029E: The token with key: {0} type: {1} subType: {2} was not found in the token cache.

Explanation

The OAuth token was either not in the cache, or the token type or subType did not match the expected value.

Action

Make sure the client associated with the token is not disabled in the OAuth provider configuration. Also make sure the type and subType of the token both have the values that are expected.

CWOAU0030E: An invalid HTTP method was used at the token endpoint: {0}

Explanation

The HTTP method used by the OAuth client is not valid.

Action

Make sure the client uses the HTTP POST method.

CWOAU0031E: The client_id passed in the request to the token endpoint: {0} did not match the authenticated client provided in the API call: {1}

Explanation

The value of the client_id parameter in the API call did not match the client ID in the authorization code that was sent to the client.

Action

Check the client_id parameter in the OAuth request or API call and make sure it matches the client ID that was used when obtaining the authorization code.

CWOAU0032E: The received redirect URI: {0} does not match the redirect URI the grant was issued to: {1}

Explanation

The value of the redirect_uri parameter in the OAuth request does not match the redirect URI attribute in the registered client.

Action

Check the value of the redirect_uri parameter in the OAuth request and make sure it matches the redirect URI attribute that exists in the registered client.

CWOAU0033E: A required runtime parameter was missing: {0}

Explanation

The OAuth provider runtime code did not find a required parameter when processing the client request.

Action

Check the missing parameter in the OAuth request and make sure that it is specified.

CWOAU0034E: A public client attempted to access the token endpoint using the client_credentials grant type. The client_id is: {0}

Explanation

An OAuth public client is not allowed to use the client_credentials grant type.

Action

Check the value of the grant_type parameter in the OAuth request and use a different grant type for the public client.

CWOAU0035E: A public client attempted to access the token endpoint and public clients are forbidden in this component configuration. The client_id is: {0}

Explanation

The OAuth provider is configured to not allow public clients to access the token endpoint.

Action

If you intend to allow access to public clients, set the allowPublicClients attribute to true in the OAuth provider configuration.

CWOAU0036E: The refresh token: {0} does not belong to the client attempting to use it: {1}

Explanation

The value of the client_id parameter in the OAuth request does not match the client ID in the refresh token.

Action

Check the value of the client_id parameter in the OAuth request and make sure it matches the client ID that is contained in the refresh token.

CWOAU0037E: HTTP scheme is used at the specified endpoint: {0}, HTTPS is required.

Explanation

The OAuth provider requires the OAuth request to use HTTPS, but HTTP was used in the request URL.

Action

Check the request URL in the OAuth request and make sure it uses HTTPS.

CWOAU0038E: The client could not be verified. Either the client ID: {0} or client secret is incorrect.

Explanation

The OAuth provider could not verify the client.

Action

Check that the client ID and client secret are valid and they match the configuration of the OAuth client and OpenID Connect client.

CWOAU0039A: Authorization failed for user {0} The user is not granted access to any of the required roles for OAuth 2.0 and the OpenID Connect request.

Explanation

The user does not have the necessary permission to access the resource of OAuth 2.0 and OpenID Connect.

Action

Contact your security administrator if this is unexpected. Your user must be mapped to one of the roles of the OAuth web application security role map.

CWOAU0039W: The request directed to the endpoint URL of [{0}] was not recognized by the OAuth provider as a valid request.

Explanation

OAuth 2.0 and OpenID Connect requests are expected to be directed to a specific subset of endpoints. The request URL might not have been formatted correctly, or the request was directed to a context or endpoint that does not support these requests.

Action

Check the path of the request to make sure it is properly formatted and directed to a valid endpoint that supports OAuth 2.0 or OpenID Connect requests, whichever is appropriate.

CWOAU0041E: The filter criteria matched for more than one provider [{0}] for processing the request. The filter criteria should not overlap between providers.

Explanation

OAuth 2.0 and OpenID Connect requests are expected to be directed to a specific provider based on the filter criteria. However, this request met the criteria for multiple provider filter configurations.

Action

Check the filter configuration of each provider to make sure the filter criteria do not overlap between multiple providers.

CWOAU0042E: The authorization request [{0}] parameter value: [{1}] is not valid because it has a value of ''none'' in addition to other values.

Explanation

The prompt parameter must not contain other values when a value of 'none' is specified.

Action

Specify only the 'none' value in the prompt parameter or specify the other values without the 'none' value.

CWOAU0043E: The OAuth authorization endpoint could not redirect the user agent to the redirection URI [{0}] because there was an unexpected java.io.IOException with message: {1}

Explanation

There was an unexpected java.io.IOException while attempting to redirect to the client's redirection URI.

Action

Review the exception message.

CWOAU0044E: The OAuth authorization endpoint could not process the OAuth request because there was no issuer identifier found.

Explanation

The issuer identifier is missing and it is required to complete the OAuth resource request. This is an internal server error.

Action

None.

CWOAU0045E: The OAuth token endpoint could not write the HTTP response to the OAuth client {0} because there was an unexpected exception with message: {1}

Explanation

There was an unexpected exception while attempting to write the HTTP response for an OAuth token request.

Action

Review the exception message.

CWOAU0046E: The OAuth token endpoint could not process the OAuth request because there was no issuer identifier found.

Explanation

The issuer identifier is missing and it is required to complete the OAuth token request. This is an internal server error.

Action

None.

CWOAU0047E: The OAuth service provider could not decode an HTTP request query string parameter because there was an unexpected java.io.UnsupportedEncodingException.

Explanation

There was an unexpected java.io.UnsupportedEncodingException while attempting to decode an HTTP request query string parameter from the 'application/x-www-form-urlencoded' MIME format for an OAuth token or resource request.

Action

None.

CWOAU0048E: The configuration parameter [{0}] is not set.

Explanation

The OAuth20 provider cannot process the request because the required configuration parameter is not set.

Action

Check the configuration parameter and make sure the required configuration parameter is configured.

CWOAU0049E: The specified class with the configuration parameter [{0}] does not match the required interface class [{1}].

Explanation

The OAuth20 provider cannot construct the specified class because the specified class does not match the required interface class.

Action

Check the configuration parameter and make sure the specified class is an implementation class of the required interface class.

CWOAU0050E: The specified class [{0}] with the configuration parameter [{1}] cannot be instantiated. The root exception is : {2}

Explanation

The OAuth20 provider cannot instantiate the specified class.

Action

Review the exception message.

CWOAU0051E: The configuration value [{1}] which is specified with the configuration parameter [{0}] is not valid.

Explanation

The OAuth20 provider cannot process the request because the specified configuration parameter is invalid.

Action

Check the configuration parameter and make sure the specified value is valid.

CWOAU0052E: The value of the configuration parameter [{0}] does not match the grant_type parameter [{1}] in the OAuth request.

Explanation

The OAuth20 provider cannot process the request because the grant_type parameter in the request is not allowed to process.

Action

Check the configuration parameter and make sure the specified value is consistent with the grant_type parameter in the OAuth request.

CWOAU0053E: The value of the configuration parameter [{0}] does not match the response_type parameter [{1}] in the OAuth request.

Explanation

The OAuth20 provider cannot process the request because the response_type parameter in the request is not allowed to process.

Action

Check the configuration parameter and make sure the specified value is consistent with the respose_type parameter in the OAuth request.

CWOAU0054E: The userClientTokenLimit in the token cache with userID "{0}" and clientID "{1}" has been exceeded or reached. The limit is: {2}.

Explanation

The same user has too many active sessions with the same OAuth20 provider.

Action

Either increase the value of the userClientTokenLimit attribute in the configuration to increase the size of the token cache, or use a different user/client combination, such as a different client.

CWOAU0055E: The redirect URI specified in the registered client of the OAuth provider is not valid: {0}

Explanation

The value of the redirect attribute in the OAuth provider's registered client may not be a valid absolute URI.

Action

Make sure the value of the redirect attribute in the OAuth provider's registered client configuration is a valid absolute URI value.

CWOAU0056E: The redirect URI parameter [{0}] provided in the OAuth or OpenID Connect request did not match any of the redirect URIs registered with the OAuth provider [{1}].

Explanation

The value of the redirect_uri parameter specified in the OAuth or OpenID Connect request does not match any of the redirect URI values specified in the registered client of the OAuth provider.

Action

Make sure the value of the redirect_uri parameter in the OAuth or OpenID Connect request matches one of the redirect URI values specified in the registered client configuration.

CWOAU0057E: The response_type parameter [{0}] in the OAuth or OpenID Connect request cannot include both [{1}] and [{2}] as response types.

Explanation

The OAuth or OpenID Connect request should have only one response type.

Action

Check the value of the response_type parameter in the OAuth or OpenID Connect request and make sure it contains only one response type.

CWOAU0058E: The OAuth token with key [{0}], type [{1}], and subType [{2}] has expired.

Explanation

The OAuth token has expired and is no longer valid.

Action

Request a new OAuth token from the OAuth provider.

CWOAU0059E: The OAuth token with key [{0}], type [{1}], and subType [{2}] is not associated with any client, or the associated client is not enabled.

Explanation

The OAuth token is not associated with any client, or the associated client has been disabled in the configuration.

Action

Check the OAuth provider client configuration to make sure the appropriate client is configured and enabled.

CWOAU0060E: The redirect URI included in the OAuth or OpenID Connect request is {0}, but a non-null redirect URI is provided in the request for the authorization grant: {1}

Explanation

If no redirect URI is included in the request, then a redirect URI must not have been specified in the request for the authorization grant.

Action

Check the value of the redirect_uri parameter in the OAuth or OpenID Connect request and make sure it matches the redirect URI attribute that exists in the registered client, or do not include a redirect URI in the request for the authorization grant.

CWOAU0061E: The OAuth service provider could not find the client because the client name is not valid. Contact your system administrator to resolve the problem.

Explanation

The OAuth service provider could not find the client specified in the value of the client_id parameter in the OAuth request.

Action

Contact your system administrator to resolve the problem.

CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.

Explanation

Either the value of the redirect attribute in the OAuth provider's registered client may not be valid or, if the redirect_uri parameter is specified in the OAuth request, its value does not match the redirect URI value specified in the OAuth provider's registered client.

Action

Contact your system administrator to resolve the problem.

CWOAU0063E: The token endpoint request failed because of two different client_id(s) in the request. One of the client_id(s) is {0} and another is {1} which is authenticated and very likely passed in through the Authorization header.

Explanation

The value of the client_id parameter in the request did not match the authenticated client_id which is passed in through the request as well.

Action

Make sure only only one authenticated client_id is in the request. A client_id can be passed through the Authorization header or the parameter of a request.

CWOAU0064E: The requested scope [{0}] and registered scope [{1}] of the client [{2}] does not have a common scope among them. The resultant scope is empty.

Explanation

The requested scope set and the registered scope set must have at least one common scope between them.

Action

Make sure requested and registered scope sets have at least one common scope between them.

CWOAU0065E: The authorization server cannot process the [{0}] request. It is missing the required scope parameter.

Explanation

The OpenID Connect request must have a scope with a non empty string.

Action

Make sure that the OpenID Connect request has a valid scope parameter.

CWOAU0066E: The token endpoint request failed because of too many requests from the same user.

Explanation

The same user has too many active sessions with the same OAuth20 provider.

Action

Either increase the value of the userClientTokenLimit attribute in the configuration to increase the size of the token cache, or use a different user/client combination, such as a different client.

CWOAU0067E: The request has been denied by the user, or another error occurred that resulted in denial of the request.

Explanation

The user has either denied the OAuth request by canceling the request on the scope consent form, or some other error has occurred that has denied access to the OAuth request.

Action

The user must allow the OAuth provider to share the scopes that the client requires in order for the OAuth request to succeed. If the user approved the request, check the logs on the OAuth provider for any additional errors.

CWOAU0068E: The request on the OpenID Connect authorization endpoint by client [{0}] failed. No scopes are registered for this client.

Explanation

The client configuration must contain a list of scopes allowed for the client, otherwise the OpenID Connect authorization requests fail.

Action

Make sure you register a list of scopes in the client configuration of the OpenID Connect Provider. Set the scope to the allowed scopes or to ALL_SCOPES in the case where all scopes are acceptable.

CWOAU0069E: The resource owner could not be verified. Either the resource owner: {0} or password is incorrect.

Explanation

The OAuth provider could not verify the resource owner.

Action

Check that the resource owner name and password are valid.

CWOAU0070E: A client provider was not found for the OAuth provider.

Explanation

There might have been a problem initializing the client stores for this OAuth provider.

Action

Check the server logs to ensure that the OAuth provider was initialized correctly.

CWOAU0071E: A public client attempted to access the {0} endpoint using the {1} grant type. This grant type can only be used by confidential clients. The client_id is: {2}

Explanation

An OAuth public client is not allowed to use the the specified grant type for this endpoint. Only confidential clients are allowed to use the specified grant type.

Action

Check the value of the grant_type parameter in the OAuth request and use a different grant type for the public client.

CWOAU0072E: The request parameter [{0}] contains an invalid value [{1}]. The valid values are [{2}] as defined by the configuration attribute [{3}].

Explanation

The indicated value of the specific parameter in the OAuth request is not valid. The valid values are listed in the indicated attribute of the server configuration.

Action

Make sure the values in the request parameter are valid.

CWOAU0073E: An authentication error occurred. Try closing the web browser and authenticating again, or contact the site administrator if the problem persists.

Explanation

The request might be missing information, the server might have encountered an internal error, or some other error may have prevented the server from successfully authenticating the user.

Action

Contact the system administrator to resolve the problem.

CWOAU0074E: The application password exchange request for the {0} user was not completed because the OAuth provider could not verify the application password. The application password is either incorrect, expired, or revoked, or the provided client ID or user ID is not valid.

Explanation

The OAuth provider was not able to verify the application password.

Action

Confirm that the application password is valid, is not expired, and was not revoked. Also, confirm that the client ID in the access token is the same as the client ID in the Authorization header.

CWOAU0075W: The OAuth client [{0}] is configured to allow application passwords to be requested but the provider [{1}] is not configured to process them. This might cause an authentication failure. Set the passwordGrantRequiresAppPassword OAuth provider configuration attribute to true if application passwords are used.

Explanation

The current configuration might be incorrect.

Action

Correct the configuration if necessary.

CWOAU0076W: The OAuth client [{0}] is not configured to allow application passwords to be requested but the provider [{1}] is configured to process them. This might cause an authentication failure. Set the passwordGrantRequiresAppPassword OAuth provider configuration attribute to false if application passwords are not used.

Explanation

The current configuration might be incorrect.

Action

Correct the configuration if necessary.

CWOAU0077E: The application password created for client [{0}] cannot be used with client [{1}].

Explanation

The application password was created with a used_by parameter that indicated an intended client, but it has been submitted to a different client.

Action

Issue the request again with an application password that is valid for the specified client.

CWOAU0078E: An attempt was made to revoke an application password or application token at the revocation endpoint. This action is not allowed.

Explanation

Application passwords or application tokens must be revoked by using the app-passwords or app-tokens endpoints.

Action

Issue the request again with the URI for the appropriate endpoint to revoke application passwords or application tokens.

CWOAU0079E: The code_challenge_method parameter in the request contains an unsupported transform algorithm: [{0}]. The supported transform algorithms are: plain, S256.

Explanation

The OAuth provider does not support the specified transform algorithm.

Action

Use one of the transform algorithms shown in the message.

CWOAU0080E: The code_verifier length is [{0}]. code_verifier length must be between 43 and 128 characters.

Explanation

The code_verifier should have a minimum length of 43 characters and a maximum length of 128 characters.

Action

Send the authorization and token requests again with the updated code_verifier that meets the specified length.

CWOAU0081E: The code_challenge [{0}] and code_verifier [{1}] do not match.

Explanation

The OAuth provider uses the code_challenge_method specified in the authorization request and transforms the code_verifier unless the code_challenge_method is plain. The transformed value should match with the code_challenge in the authorization request.

Action

Make sure to send the matching code_challenge and code_verifier and the correct transformation algorithm with the authorization and token requests.

CWOAU0082E: The [{0}] user and [{1}] OAuth client reached the maximum number ([{2}]) of access tokens that can be created by using refresh tokens. A new access token cannot be created with the provided refresh token.

Explanation

An OAuth client and user combination can request a limited number of access tokens using refresh tokens. A new access token cannot be created.

Action

Increase the number of access tokens that can be issued through refresh tokens. Alternatively, revoke some of the existing access tokens for the user and OAuth client that is specified in the message.