I am working on a requirement to connect Azure AD with OIM for provisioning of users via SCIM.
Azure AD only supports OAUTH Bearer tokens in the request.
https://docs.oracle.com/cd/E52734_01/oim/OMDEV/scim.htm#OMDEV5775 clearly shows the support of OIM to accept JWT Bearer tokens.
But, for any token OIM SCIM App is throwing same error : oracle.wsm.security.SecurityException: WSM-00356 : JWT token has expired
I've generated the token using online token generators and also basic JWT knowledge.
Following token is a valid token which is easily decoded by https://jwt.ms/
.eyJleHAiOjE1NDE3OTY3ODQsInN1YiI6InhlbHN5c2FkbSIsImlzcyI6Ind3dy5vcmFjbGUuY29tIiwicHJuIjoieGVsc3lzYWRtIiwiaWF0IjoxNTEwMTc0Mzg0fQ==.s6OLNLmYdJXF2Zj6SaTM5vPHOcKuBIcJlBvVmSATCBKnS-_qmvUYn9-8bcXDbEBo9qum2O3kF0SmbtH0u6-rx-QtNXWupf9-vbtAUVoOpm8f6X3tHVbhzBVixKYnwAZC8tN3LJ6UNOhYzxe7iOZfclmhEQILgA7I3J152gToKmU
But, no matter what value we update in token, OIM is stuck with same error.
Following stacktrace is received inthe logs:
2017-11-10T10:43:25.680+13:00] [oim_server1] [TRACE:16] [] [oracle.wsm.security.policy.scenario.processor.HttpJwtProcessor] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 005NPEldixz7y0O6yjNa6G00004y0000u1,0:2] [APP: SCIM REST service for OIM] [WSM_POLICY_NAME: oracle/multi_token_noauth_rest_service_policy] [SRC_CLASS: oracle.wsm.security.policy.scenario.processor.HttpJwtProcessor] [SRC_METHOD: verify] ENTRY
[2017-11-10T10:43:25.680+13:00] [oim_server1] [TRACE] [] [oracle.wsm.security.policy.scenario.processor.ProcessorUtils] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 005NPEldixz7y0O6yjNa6G00004y0000u1,0:2] [APP: SCIM REST service for OIM] [WSM_POLICY_NAME: oracle/multi_token_noauth_rest_service_policy] [SRC_CLASS: oracle.wsm.security.policy.scenario.processor.ProcessorUtils] [SRC_METHOD: getAgentClockSkew] The clock skew not configured. Using default
[2017-11-10T10:43:25.680+13:00] [oim_server1] [TRACE] [] [oracle.wsm.security.policy.scenario.processor.ProcessorUtils] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 005NPEldixz7y0O6yjNa6G00004y0000u1,0:2] [APP: SCIM REST service for OIM] [WSM_POLICY_NAME: oracle/multi_token_noauth_rest_service_policy] [SRC_CLASS: oracle.wsm.security.policy.scenario.processor.ProcessorUtils] [SRC_METHOD: getAgentExpiry] The agent expire time not configured. Using default
[2017-11-10T10:43:25.681+13:00] [oim_server1] [WARNING] [] [oracle.wsm.resources.security] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 005NPEldixz7y0O6yjNa6G00004y0000u1,0:2] [APP: SCIM REST service for OIM] [WSM_POLICY_NAME: oracle/multi_token_noauth_rest_service_policy] oracle.wsm.security.SecurityException: WSM-00356 : JWT token has expired [[
oracle.wsm.security.SecurityException: WSM-00356 : JWT token has expired
at oracle.wsm.security.policy.scenario.processor.HttpJwtProcessor.verify(HttpJwtProcessor.java:341)
at oracle.wsm.security.policy.scenario.executor.HttpJwtSecurityScenarioExecutor.authenticate(HttpJwtSecurityScenarioExecutor.java:423)
at oracle.wsm.security.policy.scenario.executor.HttpJwtSecurityScenarioExecutor.receiveRequest(HttpJwtSecurityScenarioExecutor.java:212)
at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:891)
at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:45)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:482)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.executeAssertion(XORPolicyExecutor.java:1515)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.executePossibleMatchingAssertionsList(XORPolicyExecutor.java:270)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.processRequest(XORPolicyExecutor.java:205)
at oracle.wsm.policyengine.impl.runtime.XORPolicyExecutor.execute(XORPolicyExecutor.java:169)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeXorAssertion(WSPolicyRuntimeExecutor.java:443)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:368)
at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:321)
at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:175)
at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:1114)
at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:516)
at oracle.wsm.agent.handler.servlet.SecurityFilter.doFilter(SecurityFilter.java:222)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:138)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)
at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:464)
at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:121)
at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:211)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at oracle.security.wls.filter.SSOSessionSynchronizationFilter.doFilter(SSOSessionSynchronizationFilter.java:296)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:60)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3748)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3714)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2283)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2182)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1491)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
]]
[2017-11-10T10:43:25.684+13:00] [oim_server1] [NOTIFICATION] [WSM-00328] [oracle.wsm.resources.security] [tid: [ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 005NPEldixz7y0O6yjNa6G00004y0000u1,0:2] [APP: SCIM REST service for OIM] [WSM_POLICY_NAME: oracle/multi_token_noauth_rest_service_policy] Incoming request did not have a valid authentication token. Service will send a 401 Challenge in response to the client with WWW-Authenticate header.
Any help would be appreciated.