47.1 Authorization Issues

Problem: Authorization Failure during Token Issuance operation

During a WS-Trust request issuance operation, the Security Token Service returns an error.

Error Message

The following are sample error messages that can be seen in the logs:

<Error> <oracle.security.fed.controller.ApplicationController> <STS-12064> <Exception: {0}
oracle.security.fed.event.EventException: oracle.security.fed.event.EventException: Authorization Failure for Relying Party=%RELYING_PARTY_ID%, Requester=%REQUESTER_ID% and User=%USER_ID%

When:

  • %RELYING_PARTY_ID% indicates the Relying Party Partner ID.

    • If the WS-Trust request did not contain an AppliesTo element, then the %RELYING_PARTY_ID% is set to MissingRP

    • if the WS-Trust request contained an AppliesTo element but it could not be mapped to a Relying Party Partner, then the %RELYING_PARTY_ID% is set to UnknownRP

    • if the WS-Trust request contained an AppliesTo element and it was mapped to a Relying Party Partner, then the %RELYING_PARTY_ID% is set to Relying Party Partner ID.

  • %REQUESTER_ID% is set to the Requester Partner ID, if the incoming request was mapped to a Requester Partner. If %REQUESTER_ID% is not null, it will be used when evaluating the Token Issuance Policy, against any present Identity Condition.

  • %USER_ID% is set to the User ID, if the incoming request was mapped to a user record. If %USER_ID% is not null and if %REQUESTER_ID% is null, it will be used when evaluating the Token Issuance Policy, against any present Identity Condition.

Issue

The Token Issuance Policy evaluation failed due to one of the following reasons:

  • No TokenServiceRP resource referencing the %RELYING_PARTY_ID% is defined and assigned to a Token Issuance Policy. In this case, create TokenServiceRP resource referencing the %RELYING_PARTY_ID% and assign it to a Token Issuance Policy.

  • A TokenServiceRP resource referencing the %RELYING_PARTY_ID% exists and is assigned to a Token Issuance Policy, but the policy contains conditions that are not met. In this case, review the policy rules: if the policies are correct, then the client is not allowed to request a token; otherwise, update the policies/conditions to include the client's identity.