Download "Troubleshooting Federation with Fiddler"




By clicking Submit, you consent for us to use your personal data for sales and marketing efforts. If this is unacceptable, please contact us via telephone.


Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.
08.20.2018

Troubleshooting Federation with Fiddler

Part 3 of 3 – Debug Oauth2 and OpenID Connect Federation Issues

Fiddler is simply the best tool to debug federation issues. Optimal IdM has just released a white paper on this which you can download from our website. This is part two of a three-part blog series on this topic. In part one we covered how to use Fiddler to debug WS-Federation issues. In part two we covered how to use Fiddler to debug SAML 2.0 federation issues. Here in part 3 we will cover how to use Fiddler to debug Oauth2 and OpenID Connect federation issues.

OAuth2 and OpenID Connect define different grant types. Depending on the grant type the flow may consist of a mixture of web application and web service (REST) calls. The most commonly used grant is the Authorization Code grant. In this grant the user’s browser is used to make a web application authentication request after which an Authorization Code is returned to the web application. The web application makes a REST call to the IdP to exchange the authorization code for an Access Token and JSON Web Token (Jwt).

If in the Authorization Code grant request you get an error on the Identity Provider, run a Fiddler trace reproducing the issue. Then look for a GET request to the IdP with the following URL parameters shown below. You can see the URL parameters by selecting the line in the request list and then going to the Inspectors -> Web Forms tab.  The URL parameters for the OAuth2\OpenID Connect authentication request are:

  • response_type = code
  • client_id = <relying party URI>
  • redirect_uri = <URL where the authorization code should be returned to>
  • scope = <requested authorization>
  • state = <federation context>
  • nonce = <random value>

Check the following:

  • Make sure the client_id value matches the relying party URI configured in the IdP.
  • Make sure the redirect_uri value matches what is configured for the relying party in the IdP.

The REST call to exchange the Authorization Code for an Access Token and/or Jwt is performed by the relying party. To view this exchange you must run Fiddler on the server that is performing the REST call.

After capturing the REST call with Fiddler, look for the REST call with the following URL parameters:

  • code = Authorization Code
  • client_id = <relying party URI>
  • redirect_uri = <URL where the authorization code should be returned to>
  • grant_tyoe = authorization_code

Check the following:

  • Make sure the client_id value matches the relying party URI configured in the IdP.
  • Make sure the redirect_uri value matches what is configured for the relying party in the IdP.
  • Check that the Authorization Code had not be used before (they may only be used once).
  • Check that the Authorization Code is not expired (they are typically short lived).

To learn more how Optimal IdM can help with your authorization and authentication issues, contact us today.