Hey all,
I’m trying to switch our applications from Basic Authentication to Client Credentials Flow.
We have set up an IAM Client and I’m able to obtain a token from IFS via:
https://<SYSTEM_URL>/auth/realms/<NAMESPACE>/protocol/openid-connect/token
Of course link it’s filled with our data.
In Postman and with the same app(same code) running in my local development environment, I can call IFS and get data without any problems using this token.
However, after deploying the new integration to our test server, I started getting 401 Unauthorized responses.
I have verified that the application on the test server is also able to obtain a token from:
https://<SYSTEM_URL>/auth/realms/<NAMESPACE>/protocol/openid-connect/token
But when the app sends a GET request(using the same token) to an IFS endpoint using that exact same token, we receive the following error:
Status: 401 Unauthorized
WWW-Authenticate: Bearer realm="<secret>@https://login.microsoftonline.com/<secret>", scope="openid", authorization_uri="https://login.microsoftonline.com/<secret>", error="invalid_token", error_description="a6fe5534-fc26-4758-bb43-ffdcbe51ba15: Signature of the provided id token could not be validated against the public signing keys of the identity provider."
I have logged the call and it’s using good token whis iss is pointing to https://<SYSTEM_URL>/auth/realms/<NAMESPACE>/protocol/openid-connect/token
So it looks like we can successfully obtain a token from IFS, but when we try to call an IFS endpoint, IFS reports that the token cannot be validated.
My questions are:
- Why is IFS trying to validate this token against Azure AD (login.microsoftonline.com)?
- Why does this issue occur only on the test environment?
Could you please advise what might be misconfigured on the IFS / IAM side?