Problem: Authorization Failure during Token Issuance operation
During a WS-Trust request issuance operation, the Security Token Service returns an error.
Error Message
The following are sample error messages that can be seen in the logs:
<Error> <oracle.security.fed.controller.ApplicationController> <STS-12064> <Exception: {0} oracle.security.fed.event.EventException: oracle.security.fed.event.EventException: Authorization Failure for Relying Party=%RELYING_PARTY_ID%, Requester=%REQUESTER_ID% and User=%USER_ID%
When:
%RELYING_PARTY_ID%
indicates the Relying Party Partner ID.
If the WS-Trust request did not contain an AppliesTo element, then the %RELYING_PARTY_ID%
is set to MissingRP
if the WS-Trust request contained an AppliesTo element but it could not be mapped to a Relying Party Partner, then the %RELYING_PARTY_ID%
is set to UnknownRP
if the WS-Trust request contained an AppliesTo element and it was mapped to a Relying Party Partner, then the %RELYING_PARTY_ID%
is set to Relying Party Partner ID.
%REQUESTER_ID%
is set to the Requester Partner ID, if the incoming request was mapped to a Requester Partner. If %REQUESTER_ID%
is not null, it will be used when evaluating the Token Issuance Policy, against any present Identity Condition.
%USER_ID%
is set to the User ID, if the incoming request was mapped to a user record. If %USER_ID%
is not null and if %REQUESTER_ID%
is null, it will be used when evaluating the Token Issuance Policy, against any present Identity Condition.
Issue
The Token Issuance Policy evaluation failed due to one of the following reasons:
No TokenServiceRP resource referencing the %RELYING_PARTY_ID%
is defined and assigned to a Token Issuance Policy. In this case, create TokenServiceRP resource referencing the %RELYING_PARTY_ID%
and assign it to a Token Issuance Policy.
A TokenServiceRP resource referencing the %RELYING_PARTY_ID%
exists and is assigned to a Token Issuance Policy, but the policy contains conditions that are not met. In this case, review the policy rules: if the policies are correct, then the client is not allowed to request a token; otherwise, update the policies/conditions to include the client's identity.