Product: TIBCO Spotfire®
TIBCO Spotfire Server fails to start to authenticate against OpenID Connect with error message 'No 'code' parameter given'
You may see the following error message in the Admin UI when OpenID Connect authentication is enabled on the TIBCO Spotfire Server with Okta as Identity Provider.
'Could not login, contact your administrator'
Below error message can be seen in server.log:
WARN 2019-11-08T16:42:12,951+0000 [unknown, #50, #9048] auth.oidc.OidcAuthenticator: OpenID Connect authentication failed
com.spotfire.server.security.auth.oidc.OidcException: No 'code' parameter given
at com.spotfire.server.security.auth.oidc.OidcAuthenticator.authenticate(OidcAuthenticator.java:306) ~[spotfire-server.jar:?]
at com.spotfire.server.security.AuthenticationManager.doAuthenticate(AuthenticationManager.java:406) ~[spotfire-server.jar:?]
at com.spotfire.server.security.AuthenticationManager.authenticateNonAnonymously(AuthenticationManager.java:356) ~[spotfire-server.jar:?]
at com.spotfire.server.security.AuthenticationManager.authenticateFrontend(AuthenticationManager.java:221) ~[spotfire-server.jar:?]
at com.spotfire.server.security.AuthenticationManager.authenticate(AuthenticationManager.java:205) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter$AuthenticationFilter.attemptAuthentication(SecurityFilter.java:444) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter$AuthenticationFilter.doFilter(SecurityFilter.java:241) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter$InternalFilter.doFilter(SecurityFilter.java:978) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter$InternalFilterChain.doFilter(SecurityFilter.java:1007) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter$UserDataConstraintFilter.doFilter(SecurityFilter.java:852) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter$InternalFilter.doFilter(SecurityFilter.java:978) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter$InternalFilterChain.doFilter(SecurityFilter.java:1007) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter$ConnectorFilter.doFilter(SecurityFilter.java:812) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter$InternalFilter.doFilter(SecurityFilter.java:978) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter$InternalFilterChain.doFilter(SecurityFilter.java:1007) ~[spotfire-server.jar:?]
at com.spotfire.server.security.SecurityFilter.doFilter(SecurityFilter.java:159) ~[spotfire-server.jar:?]
.......
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[catalina.jar:9.0.17]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) ~[tomcat-coyote.jar:9.0.17]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) ~[tomcat-coyote.jar:9.0.17]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834) ~[tomcat-coyote.jar:9.0.17]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415) ~[tomcat-coyote.jar:9.0.17]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:9.0.17]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[?:1.8.0_201]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[?:1.8.0_201]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.17]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_201]
The reason why it returned "No code parameter" is due to the prompt parameter value set in OpenID configuration. Setting prompt parameter with the value 'none' means that there is no active session from Identity Provider side (the End-User is not already Authenticated in Okta) to authenticate silently.
<auth-request-prompt-value>none</auth-request-prompt-value>
If you want to use the 'none' parameter then you should ensure to establish the session in Okta and then login with Spotfire. If not, you can change the parameter to 'login' so that the Spotfire Server attempts to Authenticate the End-User even if the End-User is already authenticated.
<auth-request-prompt-value>login</auth-request-prompt-value>Doc: Advanced OpenID Connect Settings
Comments
0 comments
Article is closed for comments.