Troubleshooting – Access token not issued due to missing signing of Message Assertion
Scenario
You send a SAML Bearer Assertion to the OAuth token service of SAP Gateway. The Return type is 400 Bad Request.
Error message
{ "error": "invalid_grant", "error_description": "Provided authorization grant is invalid. Exception was Message Assertion is not signed. For more information, consult the kernel traces or the OAuth 2.0 trouble shooting SAP note 1688545" }
Root cause
The error message contains a description of the root cause for the HTTP 400: “Exception was Message Assertion is not signed.” To get more details, an OAuth trace can be performed. Additional information is described in SAP Note 1688545.
Tx: SA38 Program: SEC_TRACE_ANALYZER
Click run with variant and select SAP&OAUTH2
Click on Activate and reproduce the issue. To see the result, click on Show.
Alternative to run the report:
Tx: SE38 Program: SEC_TRACE_ANALYZER ICF Service: /sap/bc/sec/oauth2/token Logon Trace (got HTTP 401): Select User: OIDCLIENT (the OAuth user of type system)
Solution
Activate signing of assertions in Keycloak. Open Keycloak administration console and go to the SAML client. Activate signing of Assertions.
3 Comments
letissia · April 28, 2022 at 14:57
hello, thnx for your post,
I use OAUTH2 only (no saml2), I have the same probleme when I request oauth2 token, can you tel me plz the solution if we use only OAuth2?
thank you !
Tobias Hofmann · April 28, 2022 at 15:46
The SAP ABAP oauth token issue service (sap/bc/sec/oauth2/token) expects you to send a SAML signed request. How do you want to get the token without SAML2?
Letissia · May 2, 2022 at 09:35
When configuring SSO OAuth2 we can choose Grant Type :
“Authorization Code” or “SAML 2.0 Bearer Assertion”
so I have configured my SSO OAuth using Authorization code but I have an error when requesting token:
error=oa2c_error
44306/sap/bc/webdynpro/sap/OA2C_GRANT_APP?sap-client=200&error=oa2c_error&error_description=Client%20configuration%20error%20or%20network%20problems.%20See%20kernel%20traces.#
Help please !