Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

CWWKS1708E: Unable to Contact OpenID Connect Provider – Certificate Issue

Questions
Tags
Users
Badges
Riyas Aslam M
(11113) Sep 10 '24, 7:00 a.m.

Hello,

I’m facing an issue while setting up OpenID Connect (OIDC) with Google as the provider in my Liberty/JAS environment. The error message I’m encountering is:

CWWKS1708E: The OpenID Connect client [766940859173-mnphhuhn2ku0trr1e5bvl8rugcbdi6e2.apps.googleusercontent.com] is unable to contact the OpenID Connect provider at [https://oauth2.googleapis.com/token] to receive an ID token due to [java.security.cert.CertificateException: unable to find valid certification path to requested target].

It seems that the client is unable to establish a trust relationship with the Google OIDC provider due to a certificate issue. Below is the configuration I am using for the OIDC login:

<oidcLogin id="jazzop" displayName="OIDC Login"
    clientId="*********"
    clientSecret="*********"
    authorizationEndpoint="https://accounts.google.com/o/oauth2/v2/auth"
    signatureAlgorithm="RS256"
    trustStoreRef="defaultTrustStore"
    scope="openid profile email"
    userNameAttribute="email"
    mapToUserRegistry="true">
</oidcLogin>

Steps Taken:

  1. I've confirmed that the root certificate used by oauth2.googleapis.com is not in the truststore.
  2. I attempted to download the necessary Google Root CA certificate but am unsure if I’m downloading the correct one or how to import it properly into my truststore.

My Environment:

  • Liberty/JAS server
  • Using defaultTrustStore for certificate management
  • OIDC provider: Google

Could anyone guide me on:

  1. Identifying and downloading the correct certificate for the Google OIDC provider?
  2. Importing this certificate into the correct truststore ( defaultTrustStore )?
  3. Verifying that the truststore is properly configured to resolve this issue?

Any advice would be greatly appreciated. Thanks!


0 votes

1 answer
696 views
0 votes

One answer

Permanent link
Davyd Norris
(3.0k217) Sep 10 '24, 6:48 p.m.
You're definitely on the right path there. You need to load the correct certificate chain (and Google will have multiple intermediate certificates as well as a root) into the correct CA root store being used by the JAS server to run. 

Note that this is likely not the truststore you are using, but the cacerts in the Java JRE directory that's running the server (usually <JDK>/jre/lib/security).

With regard to the certificates you need, you can use a web browser and hit any of the URLS in your question above, and examine the certificate information for accounts.google.com. You will be able to open the certificate and see the whole chain required, and even be able to export them as files from your browser

1 vote

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,501
× 6,128
× 1,331
× 29
× 4

Question asked: Sep 10 '24, 7:00 a.m.

Question was seen: 696 times

Last updated: Sep 10 '24, 6:48 p.m.

Confirmation Cancel Confirm