SCIM 2.0 connector (Authentication: OAUTH2, Grant Type: Password) Test Connection Failure

I’m trying to test connection to an endpoint running on AWS, protected by OAuth 2.0 implementation of RedHat OpenShift, and getting the following error:

image1407×900 83.6 KB

The log messages are as follows:

2025-09-30T10:15:21,292 ERROR http-nio-8080-exec-9 sailpoint.web.ApplicationObjectBean:2848 - Connector failed.
sailpoint.connector.ConnectorException: Exception occurred while generating access token: Unable to generate access token. Response returned: 302
at sailpoint.connector.OpenConnectorAdapter.throwCounterpartException(OpenConnectorAdapter.java:1786) ~[connector-bundle-identityiq.jar:8.3p2]
at sailpoint.connector.OpenConnectorAdapter.testConfiguration(OpenConnectorAdapter.java:791) ~[connector-bundle-identityiq.jar:8.3p2]
at sailpoint.connector.ConnectorProxy.testConfiguration(ConnectorProxy.java:411) ~[connector-bundle-identityiq.jar:8.3p2]
at sailpoint.web.ApplicationObjectBean.testConnectorAction(ApplicationObjectBean.java:2842) ~[identityiq.jar:8.3p2 Build a3a0711bca8-20230213-093637]
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-util.jar:9.0.86]
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-util.jar:9.0.86]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-util.jar:9.0.86]
at java.lang.Thread.run(Thread.java:1583) [?:?]
Caused by: openconnector.ConnectorException: Exception occurred while generating access token: Unable to generate access token. Response returned: 302
at openconnector.connector.scim2.SCIM2RelaxConfigExecutor.exceptionBucketing(SCIM2RelaxConfigExecutor.java:502) ~[?:?]
at openconnector.connector.scim2.SCIM2RelaxConfigExecutor.processException(SCIM2RelaxConfigExecutor.java:459) ~[?:?]
at openconnector.connector.scim2.SCIM2RelaxConfigExecutor.executeEndpoint(SCIM2RelaxConfigExecutor.java:269) ~[?:?]
at openconnector.connector.scim2.SCIM2RelaxConfigExecutor.testConfiguration(SCIM2RelaxConfigExecutor.java:65) ~[?:?]
at openconnector.connector.scim2.SCIM2Connector.testConnection(SCIM2Connector.java:361) ~[?:?]
at sailpoint.connector.OpenConnectorAdapter.testConfiguration(OpenConnectorAdapter.java:789) ~[connector-bundle-identityiq.jar:8.3p2]
… 73 more
Caused by: connector.sdk.webservices.exception.WebServicesSdkAuthException: Exception occurred while generating access token: Unable to generate access token. Response returned: 302
at connector.sdk.webservices.auth.impl.OAuth2Authentication.authenticate(OAuth2Authentication.java:152) ~[?:?]
at connector.sdk.webservices.auth.impl.OAuth2Authentication.authenticate(OAuth2Authentication.java:37) ~[?:?]
at connector.sdk.webservices.ExecutionMediator.processEndpoint(ExecutionMediator.java:509) ~[?:?]
at openconnector.connector.scim2.SCIM2RelaxConfigExecutor.executeEndpoint(SCIM2RelaxConfigExecutor.java:241) ~[?:?]
at openconnector.connector.scim2.SCIM2RelaxConfigExecutor.testConfiguration(SCIM2RelaxConfigExecutor.java:65) ~[?:?]
at openconnector.connector.scim2.SCIM2Connector.testConnection(SCIM2Connector.java:361) ~[?:?]
at sailpoint.connector.OpenConnectorAdapter.testConfiguration(OpenConnectorAdapter.java:789) ~[connector-bundle-identityiq.jar:8.3p2]
… 73 more
Caused by: connector.common.oauth2.OAuth2Exception: Unable to generate access token. Response returned: 302
at connector.common.oauth2.BaseTokenClient.generateToken(BaseTokenClient.java:127) ~[?:?]
at connector.sdk.webservices.auth.impl.OAuth2Authentication.authenticate(OAuth2Authentication.java:145) ~[?:?]
at connector.sdk.webservices.auth.impl.OAuth2Authentication.authenticate(OAuth2Authentication.java:37) ~[?:?]
at connector.sdk.webservices.ExecutionMediator.processEndpoint(ExecutionMediator.java:509) ~[?:?]
at openconnector.connector.scim2.SCIM2RelaxConfigExecutor.executeEndpoint(SCIM2RelaxConfigExecutor.java:241) ~[?:?]
at openconnector.connector.scim2.SCIM2RelaxConfigExecutor.testConfiguration(SCIM2RelaxConfigExecutor.java:65) ~[?:?]
at openconnector.connector.scim2.SCIM2Connector.testConnection(SCIM2Connector.java:361) ~[?:?]
at sailpoint.connector.OpenConnectorAdapter.testConfiguration(OpenConnectorAdapter.java:789) ~[connector-bundle-identityiq.jar:8.3p2]
… 73 more
Caused by: connector.common.http.exception.HttpException:
at connector.common.http.client.impl.ApacheHttpClientWrapper.handleFailedRequest(ApacheHttpClientWrapper.java:552) ~[?:?]
at connector.common.http.client.impl.ApacheHttpClientWrapper.execute(ApacheHttpClientWrapper.java:338) ~[?:?]
at connector.common.http.client.HttpClientWrapper.execute(HttpClientWrapper.java:137) ~[?:?]
at connector.common.oauth2.BaseTokenClient.generateToken(BaseTokenClient.java:120) ~[?:?]
at connector.sdk.webservices.auth.impl.OAuth2Authentication.authenticate(OAuth2Authentication.java:145) ~[?:?]
at connector.sdk.webservices.auth.impl.OAuth2Authentication.authenticate(OAuth2Authentication.java:37) ~[?:?]
at connector.sdk.webservices.ExecutionMediator.processEndpoint(ExecutionMediator.java:509) ~[?:?]
at openconnector.connector.scim2.SCIM2RelaxConfigExecutor.executeEndpoint(SCIM2RelaxConfigExecutor.java:241) ~[?:?]
at openconnector.connector.scim2.SCIM2RelaxConfigExecutor.testConfiguration(SCIM2RelaxConfigExecutor.java:65) ~[?:?]
at openconnector.connector.scim2.SCIM2Connector.testConnection(SCIM2Connector.java:361) ~[?:?]
at sailpoint.connector.OpenConnectorAdapter.testConfiguration(OpenConnectorAdapter.java:789) ~[connector-bundle-identityiq.jar:8.3p2]
… 73 more

If I run a curl command against the Token URL with the username and password in basic auth, I get back the access token and a HTTP response of 302 with redirection URL. The trouble is that HTTP 302 seems to confuse WebService/SCIM2 connector, which, I guess, is looking for 200.

curl -u USER:PASSWORD -kI ‘https://oauth.testw2-np.77eh.p3.openshiftapps.com/oauth/authorize?client_id=openshift-challenging-client&response_type=token’

HTTP/1.1 302 Found
Audit-Id: ce0efc6b-ae38-496b-b522-41dab80c8f16
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0
Location: https://oauth.testw2-np.77eh.p3.openshiftapps.com:443/oauth/token/implicit
#access_token=sha256~lvAjVjC2zibyCLluCUfT8SaTpiL8RYOVx37oRo7i0ms
&expires_in=86400
&scope=user%3Afull
&token_type=Bearer

I’m not sure who is not following OAuth spec - Is it Openshift by sending back redirection HTTP code (302), or is it SailPoint connector, that cannot handle URL redirection.

HI @johnsonjoseph

This is IIQ right. Change the categories related to IIQ. You’ll get quick and more response

Hi @johnsonjoseph ,

Use a Custom Authentication operation to handle the OAuth 2.0 implicit grant redirect and extract the token yourself, then apply it to all subsequent calls.

1. Change Authentication to Custom

• In your Web Services/SCIM2 connector configuration, set Authentication Type to Custom Authentication instead of “OAuth 2.0.”

2. Define the Token Operation

• Operation Name: generateToken

• Method: GET

• URL:
  https://oauth.testw2-np.77eh.p3.openshiftapps.com/oauth/authorize?client_id=openshift-challenging-client&response_type=token

• Headers:
  Authorization: Basic <BASE64(USER:PASSWORD)>
Content-Type: application/x-www-form-urlencoded

3. Before Operation Rule to Extract Token

Attach this Java rule on the generateToken operation to catch the 302 and parse the token:

I’m pasting a sample token generation code. you can use if yo have any already

import java.util.Map;
import java.util.HashMap;
import java.util.regex.Pattern;
import java.util.regex.Matcher;

if (requestEndPoint.getResponseCode() == 302) {
    String location = requestEndPoint.getResponseHeaders().get("Location");
    if (location != null) {
        Pattern p = Pattern.compile("#access_token=([^&]+)");
        Matcher m = p.matcher(location);
        if (m.find()) {
            String token = m.group(1);
            // Set Authorization header for subsequent calls
            Map<String,String> hdrs = new HashMap<>();
            hdrs.put("Authorization", "Bearer " + token);
            requestEndPoint.setHeader(hdrs);
        }
    }
}

4. Use Extracted Token in All Operations
For every API call (Test Connection, Aggregation, Provisioning):

• Under HTTP Headers, add
  Authorization: Bearer $application.access_token$

5. Verify with CURL

curl -u USER:PASSWORD -k\
‘https://oauth.testw2-np.77eh.p3.openshiftapps.com/oauth/authorize?client_id=openshift-challenging-client&response_type=token’

You need to use OpenShift’s /oauth/token endpoint with the appropriate grant type, not the /oauth/authorize endpoint which is designed for browser-based flows.

can you try below curl command

# Test token generation
curl -X POST -k \
  -u 'openshift-challenging-client:' \
  -d 'grant_type=password&username=USER&password=PASSWORD' \
  'https://oauth.testw2-np.77eh.p3.openshiftapps.com/oauth/token'

Try this one and let me know if it returns HTTP 200 with a JSON response.

Has this issue been resolved?

Thanks @selvasanthosh ,

This is a viable workaround to integrate with applications that do not support OAuth’s non-interactive auth flows (Client Credentials or Resource Owner Password).

In my case, the resource server is a SCIM URL running on AWS, and authorization server is “Red Hat OpenShift Service on AWS (ROSA)”. ROSA only supports OAuth’s interactive auth flows - Implicit and Authorization Code. It is documented here. So, there is a fundamental incompatibility between these two systems.

I was told by the ROSA admin that there might a workaround on ROSA’s side, but have not been made aware of the details yet. I will update this thread, once I find out how.

Thanks @naveenkumar3 ,

Running this command resulted in 401 Unauthorized. The underlying issue is that RedHat’s OpenShift on AWS (ROSA) does not support Client Credential/Resource Owner Password flows of OAuth. Directly accessing “/token” endpoint does not result in generating of Access/Refresh tokens. So, it is useless.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.