Remote proxy troubleshooting
These troubleshooting topics and a testing checklist address common remote proxy issues:
OAuth 2.0 authentication fails
Symptom: 401 Unauthorized when accessing the proxy.
-
Verify the OAuth 2.0 client exists in the receiving tenant.
-
Check that
clientIdandclientSecretmatch the OAuth 2.0 client credentials on the receiving tenant. -
Ensure the OAuth 2.0 client has the
client_credentialsgrant type. -
Verify
tokenEndpointAuthMethodisclient_secret_post. -
Check that the OAuth 2.0 client has the
fr:idm:*scope.
Forbidden access
Symptom: 403 Forbidden when querying data.
-
Verify the static user mapping is configured.
-
Check that
subjectin the static user mapping matches the OAuth 2.0clientId. -
Ensure roles include
internal/role/openidm-admin.
Proxy not found
Symptom: 404 Not Found when accessing /openidm/external/idm/<receiving-tenant-name>.
-
Check that the config was created:
GET /openidm/config/external.idm/<receiving-tenant-name>. -
Verify the config name matches the proxy name formatting (for example, hyphen in config path, slash in access path).
-
Ensure
enabledistruein the configuration.
SSL/TLS certificate errors
Symptom: SSL handshake failures.
-
Import the receiving tenant’s certificate into the originating tenant’s truststore.
-
Verify the certificate is valid and not expired.
-
Check network connectivity and firewall rules.
Testing checklist
Before reporting a connectivity issue, verify the following:
-
OAuth 2.0 client is created on the receiving tenant.
-
OAuth 2.0 client has the
client_credentialsgrant. -
OAuth 2.0 client has the
fr:idm:*scope. -
tokenEndpointAuthMethodisclient_secret_post. -
Static user mapping is configured on the receiving tenant.
-
Static user mapping
subjectmatches the OAuth 2.0 client ID. -
External IDM config is created on the originating tenant.
-
Config
clientIdandclientSecretmatch the OAuth 2.0 client. -
Config
tokenEndpointpoints to the correct realm. -
Config
instanceUrlends with/openidm/. -
Proxy query succeeds:
GET /openidm/external/idm/<receiving-tenant-name>/managed/realm-name_user.