Description of error codes related to authorizing an application and working with tokens.
Problems with application authorization
AuthorizeErrorCode
Code |
Error |
Description |
0 |
NoError |
|
1 |
Revoked |
Application's access to the tenant has been revoked |
2 |
InvalidRedirectUrl |
The redirect URL your used is not registered in SuperOffice operation center on the app - you need to whitelist the redirect URL on your app registration. This is usually shown in an error message Authorization error: InvalidRedirectUrl (2) |
3 |
Expired |
The application authorization on this tenant has expired |
4 |
Denied |
The applications access to this tenant has been denied |
5 |
NeedsReapproval |
Authorization needs to be re-approved |
6 |
InvalidTimestamp |
The supplied timestamp is invalid |
7 |
InvalidSignature |
Calculated signature is invalid |
Problems with tokens and certificate
Error: ID4037
The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier'
Problem:
The certificate is not found:
- the certificates are not installed on the local machine, or
- the certificates are not configured to load the SuperOfficeFederatedLogin.crt certificate by using the CertificateFileCertificateStoreTokenResolver class
Resolution:
- Check the online certificates are installed on the local machine.
- Use the CertificateFileCertificateStoreTokenResolver to point to the location of the SuperOfficeFederatedLogin.crt certificate. Set the CertificateValidator to
X509.CertificateValidator.None
.
var tokenHandler = new SuperIdTokenHandler();
tokenHandler.IssuerTokenResolver =
new SuperOffice.SuperID.Client.Tokens.CertificateFileCertificateStoreTokenResolver(
System.Web.HttpContext.Current.Server.MapPath("~/App_Data")
);
tokenHandler.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;
return tokenHandler.ValidateToken(returnedToken, TokenType.Saml);
Error: ID4175
The issuer of the security token was not recognized by the IssuerNameRegistry.
Problem:
The SuperIdCertificate appSetting value doesn't correlate to an installed certificate.
Resolution:
- Install the correct certificates for the correct environment (SOD, Stage, Production) into the local certificate store.
- Make sure the thumbprint is correct: use the arrow keys or Backspace to verify that there is no hidden character before the thumbprint value.
Alternatively, override the IssuerTokenRsolver and set the CertificateValidator to X509CertificateValidator.None
.
Error: ID4148
The Saml2SecurityToken is rejected because the SAML2:Assertion's NotOnOrAfter condition is not satisfied.
Problem:
Too much time has elapsed since the system user token was signed and sent to exchange for a system user ticket. The returned token containing the system user ticket has expired.
Resolution:
Tokens must be validated immediately after they are returned by SuperID.
Error: Data at the root level is invalid. Line 1, position 1
Problem:
TokenHandler attempted to validate a JWT token with the SAML token enumeration.
Resolution:
Change the enumeration from SAML to JWT.
tokenHandler.ValidateToken(token, SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Jwt)
Error: IDX10708
'System.IdentityModel.Tokens.JwtSecurityTokenHandler' cannot read this string: 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48QXNzZXJ0aW9uIElEPSJfZWQ4OTVmMzktZjc4Yi00NDFkLWFiY2QtYjllZWMzOGUyZDNhIiBJc3N1ZUluc3RhbnQ9IjIwMTUtMTAtMDZUMjA6NTg6NDMuNzI5WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI
Problem:
TokenHandler attempted to validate a SAML token with the Jwt token enumeration.
Resolution:
- Don't set the tokenHandler.JwtIssuerSigningCertificate property if you use locally installed certificates.
- Don't set tokenHandler.IssuerTokenResolver to a new CertificateFileCertificateStoreTokenResolver instance if you use a relative certificate file.
- Change the TokenType enumeration from
Jwt
to SAML
in the Validate method.
//Disable looking up the certificate PeerTrust when using CertificateFileCertificateStoreTokenResolver or JWT tokens.
tokenHandler.CertificateValidator = System.IdentityModel.Selectors.X509CertificateValidator.None;
//determine what class will lookup the certificates for validation
tokenHandler.IssuerTokenResolver = new SuperOffice.SuperID.Client.Tokens.CertificateFileCertificateStoreTokenResolver(
HttpContext.Current.Server.MapPath("~/App_Data"));
tokenHandler.ValidateToken(token, SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Saml)
Error: Value cannot be null. Parameter name: certificate
Possible problem 1:
TokenHandler attempted to validate a SAML token with the Jwt token enumeration.
Resolution 1:
Change the enumeration from Jwt to SAML.
tokenHandler.ValidateToken(token, SuperOffice.SuperID.Contracts.SystemUser.V1.TokenType.Saml)
Possible problem 2:
Certificates have not been installed on the partner's server. When setting up a database mirroring service an email with the following error will be sent the technical contact:
Exception:
Failed validating token at at SuperOffice.SuperID.Client.Tokens.SuperIdTokenHandler.ValidateJwtToken(String token, ClaimsPrincipal& claimsPrincipal) in ...
at SuperOffice.Online.Mirroring.MirroringClientService.ValidateSuperOfficeSignedToken(String token) in ...
at SuperOffice.Online.Mirroring.MirroringClientService.Authenticate(AuthenticateRequest request) in ...
Value cannot be null. Parameter name: certificate at at Microsoft.IdentityModel.Tokens.X509SecurityKey..ctor(X509Certificate2 certificate) in ...
Resolution:
Install the public SuperOffice certificates.
Error: Cannot locate PartnerHttpContext
Problem:
The web application web.config file declared a session mode equal to PartnerHttpContext, but that class is not included in the project or in an assembly located in the website's bin folder.
Resolution:
Ensure your web project contains the following files from the sample project SuperOffice.DevNet.Online.Login:
- ContextInitializer.cs
- ContextResolver.cs
- PartnerHttpContext.cs