"Access to the requested resource is denied" with Suomi.fi authentication (SSO 8.9.x)
Problem
If you are using SSO version 8.9.x and have perfromed key-rotation, when trying to use suomi.fi authentiction method you get Internal Server Error error in browserÂ
Diag Logs :Â
2022-03-11 13:04:58,078 protocol [11.88.10.98] AuthorizationServlet com.ubisecure.ubilogin.sso.ui.conversation.authn.AccessDeniedException: Access to the requested resource is denied at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.assertAccessAllowed(UbiloginAuthenticationRequest.java:428) at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.assertAccessAllowed(UbiloginAuthenticationRequest.java:398) at com.ubisecure.ubilogin.sso.ui.servlet.AbstractMainServlet.main(AbstractMainServlet.java:201)
Solution
This kind of error occurs if there arent any keys configured to be encryption key. This means that all keys are configured as signing keys and the integration with suomi.fi is probably configured to use encryption.Â
You can check if key has added only usage to be -d "use : sig" using below GET methodÂ
curl -H "Authorization: Bearer XXXXXX" -X GET https://HOSTNAME/uas/oauth2/metadata.jwks --insecure
HTTP 200 Response
You can remove the usage by following command :Â
curl -H "Authorization: Bearer XXXXXX" -X PUTÂ https://HOSTNAME/sso-api/credential/System/ServerKeyContainer/sig-key1Â -d "use= " --insecure
HTTP 200 Response
Now the same key will be used as encrypion key as well as sig key.Â
Related articles