It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×7,449
×6,106
×1,278
×28
×3
×1

question asked: Sep 10, 7:00 a.m.
question was seen: 90 times
last updated: Sep 10, 6:48 p.m.

Related questions

CWWKS1708E: Unable to Contact OpenID Connect Provider – Certificate Issue

0
Riyas Aslam M (112) | asked Sep 10, 7:00 a.m.

Hello,

I’m facing an issue while setting up OpenID Connect (OIDC) with Google as the provider in my Liberty/JAS environment. The error message I’m encountering is:

CWWKS1708E: The OpenID Connect client [766940859173-mnphhuhn2ku0trr1e5bvl8rugcbdi6e2.apps.googleusercontent.com] is unable to contact the OpenID Connect provider at [https://oauth2.googleapis.com/token] to receive an ID token due to [java.security.cert.CertificateException: unable to find valid certification path to requested target].

It seems that the client is unable to establish a trust relationship with the Google OIDC provider due to a certificate issue. Below is the configuration I am using for the OIDC login:

<oidcLogin id="jazzop" displayName="OIDC Login"
    clientId="*********"
    clientSecret="*********"
    authorizationEndpoint="https://accounts.google.com/o/oauth2/v2/auth"
    signatureAlgorithm="RS256"
    trustStoreRef="defaultTrustStore"
    scope="openid profile email"
    userNameAttribute="email"
    mapToUserRegistry="true">
</oidcLogin>

Steps Taken:

  1. I've confirmed that the root certificate used by oauth2.googleapis.com is not in the truststore.
  2. I attempted to download the necessary Google Root CA certificate but am unsure if I’m downloading the correct one or how to import it properly into my truststore.

My Environment:

  • Liberty/JAS server
  • Using defaultTrustStore for certificate management
  • OIDC provider: Google

Could anyone guide me on:

  1. Identifying and downloading the correct certificate for the Google OIDC provider?
  2. Importing this certificate into the correct truststore ( defaultTrustStore )?
  3. Verifying that the truststore is properly configured to resolve this issue?

Any advice would be greatly appreciated. Thanks!


One answer

Most liked answers ↑|Newest answers|Oldest answers

1
permanent link
Davyd Norris (2.5k217) | answered Sep 10, 6:48 p.m.
You're definitely on the right path there. You need to load the correct certificate chain (and Google will have multiple intermediate certificates as well as a root) into the correct CA root store being used by the JAS server to run. 

Note that this is likely not the truststore you are using, but the cacerts in the Java JRE directory that's running the server (usually <JDK>/jre/lib/security).

With regard to the certificates you need, you can use a web browser and hit any of the URLS in your question above, and examine the certificate information for accounts.google.com. You will be able to open the certificate and see the whole chain required, and even be able to export them as files from your browser

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.