"Access to the requested resource is denied" with Suomi.fi authentication (SSO 8.9.x)

Owned by Shraddha Shejawal
Last updated: 2022-04-04
1 min read

Problem

If you are using SSO version 8.9.x and have perfromed key-rotation, when trying to use suomi.fi authentiction method you get Internal Server Error error in browser 


Diag Logs : 

2022-03-11 13:04:58,078 protocol [11.88.10.98] AuthorizationServlet
com.ubisecure.ubilogin.sso.ui.conversation.authn.AccessDeniedException: Access to the requested resource is denied
	at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.assertAccessAllowed(UbiloginAuthenticationRequest.java:428)
	at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.assertAccessAllowed(UbiloginAuthenticationRequest.java:398)
	at com.ubisecure.ubilogin.sso.ui.servlet.AbstractMainServlet.main(AbstractMainServlet.java:201)

Solution

This kind of error occurs if there arent any keys configured to be encryption key. This means that all keys are configured as signing keys and the integration with suomi.fi  is probably configured to use encryption. 

You can check if  key has added only usage to be -d "use : sig" using below GET method 

curl -H "Authorization: Bearer XXXXXX" -X GET https://HOSTNAME/uas/oauth2/metadata.jwks --insecure

HTTP 200 Response

 Successfully Fetched key details
{
    "keys": [
        {
            "use": "sig",
            "kid": "sig-key1",
            "kty": "RSA",
            "n": "... redacted ...",
            "e": "AQAB"
        }
    ]
}

You can remove the usage by following command : 

curl -H "Authorization: Bearer XXXXXX" -X PUT https://HOSTNAME/sso-api/credential/System/ServerKeyContainer/sig-key1 -d "use= " --insecure

HTTP 200 Response

 Successfully created or updated a key

Accept: application/json

FieldTypeDescription
typestringThe type of the object. Currently this is always set to credential.
idstringThe unique id of the key.
attributes.namestringThe name of the key.
attributes.ktystringThe type of the key. For example RSA
attributes.kidstringThe key identifier as defined by RFC 7517 JSON Web Key specification
attributes.usestring

The usage of the key as defined by RFC 7517 JSON Web Key specification. Valid values are

  • enc - for encryption
  • sig - for signing
attributes.enabledbooleanDenotes whether the key is enabled or not.
attributes.notBeforedatetimeThe epoch timestamp after which the key is valid.
attributes.notOnOrAfterdatetimeThe epoch timestamp after which the key is not valid.
attributes.descriptionstring arrayA human-readable description of the key.

Now the same key will be used as encrypion key as well as sig key. 



Ubisecure Privacy Policy & Cookie Statement