Troubleshooting
Problem
Please note that, there is a significant change in the DataPower code (for handing scope validation for a Third-party OAuth Provider) from the following DataPower versions: 10.5.0.6, 10.5.1.x, 10.0.1.14 and onward.
Current behavior:
When you configure a third-party OAuth Provider, we don’t perform any scope validations from the Introspection endpoint response even if it is returning scopes.
Symptom
With these new changes being in place, whenever clients are upgrading DataPower to the above versions or later, they might experience an error for the existing API calls (Protected by a third-party OAuth), depending on how this has been configured.
The error message might look like this:
{"httpCode":"401","httpMessage":"Unauthorized","moreInformation":"Cannot pass the security checks that are required by the target API or operation, Enable debug headers for more details."}
{"httpCode":"401","httpMessage":"Unauthorized","moreInformation":"Cannot pass the security checks that are required by the target API or operation, Enable debug headers for more details."}
If you have enabled a debug header in the OAuth Provider settings and passing it in the request: “apim-debug:true”, you might be able to see additional debug messages being returned in the response like below:
< X-APIC-Debug-OAuth-Error: access_denied
< X-APIC-Debug-OAuth-Error-Desc: Scope is not allowed
< WWW-Authenticate: Bearer error='invalid_token'
< X-APIC-Debug-OAuth-Error: access_denied
< X-APIC-Debug-OAuth-Error-Desc: Scope is not allowed
< WWW-Authenticate: Bearer error='invalid_token'
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"ARM Category":[{"code":"a8m50000000L0rvAAC","label":"API Connect"}],"ARM Case Number":"TS013804039","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
18 August 2023
UID
ibm17027794