Forgeops 2025.2.1 Platform Login Issue

[nickehunt]

I have a new install of forgeops using 2025.2.1. Everything deploys and completes but when going ot the platform / admin ui (or end user) I get the below error in the AM logs. I can get a token via AM rest authenticate endpoint and see the clients are registered, but not getting access to the UI. Do you know what could be causing this issue?

{"timestamp":"2026-02-16T19:39:55.466Z","level":"WARN","thread":"http-nio-8081-exec-5","mdc":{"transactionId":"e216ece9-2741-44d5-9dd6-88a44b316b53-4078"},"logger":"org.forgerock.oauth2.core.SessionValidatorHelper","message":"Error authenticating user against OpenAM: ","context":"default","exception":"com.iplanet.sso.SSOException: SessionID is empty\n\tat com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:148)\n\tat com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:161)\n\tat com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:328)\n\tat org.forgerock.oauth2.core.SessionValidatorHelper.getResourceOwnerSession(SessionValidatorHelper.java:133)\n\tat org.forgerock.oauth2.core.ResourceOwnerSessionValidator.validate(ResourceOwnerSessionValidator.java:186)\n\tat org.forgerock.oauth2.core.AuthorizationService.authorize(AuthorizationService.java:189)\n\tat org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:172)\n\tat jdk.internal.reflect.GeneratedMethodAccessor139.invoke(Unknown Source)\n\tat java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.base/java.lang.reflect.Method.invoke(Method.java:569)\n\tat org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:82)\n\tat org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:78)\n\tat org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:180)\n\tat org.forgerock.oauth2.restlet.OAuth2Filter.filter(OAuth2Filter.java:49)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:89)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.openam.cors.CorsFilter.filter(CorsFilter.java:92)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:88)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:207)\n\tat org.forgerock.http.routing.Router.handle(Router.java:100)\n\tat org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:96)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:63)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:67)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.ResponseContext$ResponseContextFilter.filter(ResponseContext.java:57)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.OpenAMHttpApplication.lambda$static$1(OpenAMHttpApplication.java:61)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.openam.http.OpenAMHttpApplication.lambda$cacheHeaderFilter$3(OpenAMHttpApplication.java:89)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)\n\tat org.forgerock.http.handler.Handlers$1.handle(Handlers.java:54)\n\tat org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:282)\n\tat jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)\n\tat org.forgerock.openam.http.OpenAMHttpFrameworkServlet.service(OpenAMHttpFrameworkServlet.java:48)\n\tat jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.forgerock.openam.validation.LargeCookieWarningFilter.doFilter(LargeCookieWarningFilter.java:49)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.forgerock.openam.headers.SecureCookieFilter.doFilter(SecureCookieFilter.java:64)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.forgerock.openam.headers.DisableSameSiteCookiesFilter.doFilter(DisableSameSiteCookiesFilter.java:107)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:60)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:111)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:111)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.forgerock.openam.validation.FQDNValidationFilter.doFilter(FQDNValidationFilter.java:56)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:121)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.forgerock.openam.validation.RequestEntitySizeVerificationFilter.doFilter(RequestEntitySizeVerificationFilter.java:67)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.forgerock.openam.tracing.SpanFilter.lambda$doFilter$0(SpanFilter.java:45)\n\tat org.forgerock.openam.tracing.service.DefaultTracingService.spanHttp(DefaultTracingService.java:70)\n\tat org.forgerock.openam.tracing.SpanFilter.doFilter(SpanFilter.java:45)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:44)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:138)\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:165)\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:88)\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492)\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:113)\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:83)\n\tat org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:654)\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:72)\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)\n\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)\n\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:973)\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:491)\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)\n\tat java.base/java.lang.Thread.run(Thread.java:840)\nCaused by: com.iplanet.dpro.session.SessionException: SessionID is empty\n\tat com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:135)\n\t... 99 common frames omitted\n","transactionId":"e216ece9-2741-44d5-9dd6-88a44b316b53-4078"}

[nickehunt]

the redirect starts to the login page then stops on the page.

10.1.147.175 - - [16/Feb/2026:19:39:55 +0000] "GET /am/oauth2/authorize?redirect_uri=https%3A%2F%2Fs<removed>%2Fam%2FXUI%2FappAuthHelperRedirect.html&client_id=idm-admin-ui&response_type=code&state=EsvW21tkQY&scope=openid%20fr%3Aidm%3A*&prompt=none&code_challenge=ySXaN7tjI9MDvH-WPm6fSTjyRqjBuUsNm7uGgcah3Kc&code_challenge_method=S256 HTTP/1.1" 400 1883 4354ms

[stenolan1]

Hi Nick, Steve Nolan here Can you see if you're able to carry out these curl commands and get valid responses to all of them The examples I used below are based on a 2025.2.1 instance of forgeops on a minikube cluster where the fqdn is platform.example.com admin-ui-9fd848dd4-5bpl9 1/1 Running 1 (2d22h ago) 3d2h am-5ccdc645f6-vm5t4 1/1 Running 1 (2d22h ago) 3d2h ds-cts-0 1/1 Running 1 (2d22h ago) 3d2h ds-idrepo-0 1/1 Running 1 (2d22h ago) 3d2h end-user-ui-85cfcf9dcc-n4zcw 1/1 Running 1 (2d22h ago) 3d2h idm-dbb4f7456-wq9dw 1/1 Running 1 (2d22h ago) 3d2h login-ui-698bf6758d-jlh6m 1/1 Running 1 (2d22h ago) 3d2h /opt/forgeops/bin/forgeops info Targeting namespace: "platform". Relevant passwords: 5WKbiUGGiQfpw5sYq45bJRL+dtAKDanf (amadmin user) ZygXjEztqsuTWuvnFWISr7zDNfPJwf18 (uid=admin user) 8a2ZseYgGLHzbRZysDFiY8hrOZ6zjKjP (App str svc acct (uid=am-config,ou=admins,ou=am-config)) 5EgQ0DlnEoUXVu1x5GS5micxJAi9ibaH (CTS svc acct (uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens)) 71EyQAdf7oD8fo0wNH3t2u/K9RwIwz03 (ID repo svc acct (uid=am-identity-bind-account,ou=admins,ou=identities)) Relevant URLs: https://platform.example.com/platform https://platform.example.com/admin https://platform.example.com/am https://platform.example.com/enduser Step 1. Get a session token curl -k -v \ --request POST \ --insecure \ --header "Content-Type: application/json" \ --header "X-OpenAM-Username: amadmin" \ --header "X-OpenAM-Password: 5WKbiUGGiQfpw5sYq45bJRL+dtAKDanf" \ --header "Accept-API-Version: resource=2.0, protocol=1.0" \ 'https://platform.example.com/am/json/realms/root/authenticate' Step 2.Exchange the session token for an auth code curl -k -v --dump-header - \ --request POST \ --cookie "iPlanetDirectoryPro=WPLMOlO4KK7hPUo4jZAhGM_SYbU.*AAJTSQACMDIAAlNLABx3MG9aNG1FbU5IYzV0Y0hsUzFkQjJtQnFHYWM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*" \ --data "scope=fr:idm:* openid" \ --data "response_type=code" \ --data "client_id=idm-admin-ui" \ --data "csrf=WPLMOlO4KK7hPUo4jZAhGM_SYbU.*AAJTSQACMDIAAlNLABx3MG9aNG1FbU5IYzV0Y0hsUzFkQjJtQnFHYWM9AAR0eXBlAANDVFMAAlMxAAIwMQ..*" \ --data "redirect_uri= https://platform.example.com/platform/appAuthHelperRedirect.html" \ --data "state=abc123" \ --data "decision=allow" \ "https://platform.example.com/am/oauth2/realms/root/authorize" Step 3. Exchange the auth code for an access_token curl -k -v --request POST \ --insecure \ --data "grant_type=authorization_code" \ --data "code=a87WfDQzc_V0vUP9_Tnffe0PFxQ" \ --data "client_id=idm-admin-ui" \ --data "redirect_uri= https://platform.example.com/platform/appAuthHelperRedirect.html" \ "https://platform.example.com/am/oauth2/realms/root/access_token" |jq Step 4. Use the access_token as a bearer token to get the idm details curl -v \ --insecure \ --request GET \ --header "Authorization: Bearer DnJeSMKgOkd68DMzr2qE9e3edmc" \ --data "{}" \ https://platform.example.com/openidm/config Steve

…

On Mon, Feb 16, 2026 at 2:52 PM Nick Hunt ***@***.***> wrote: *nickehunt* left a comment (ForgeRock/forgeops#710) <#710 (comment)> the redirect starts to the login page then stops on the page. 10.1.147.175 - - [16/Feb/2026:19:39:55 +0000] "GET /am/oauth2/authorize?redirect_uri=https%3A%2F%2Fs<removed>%2Fam%2FXUI%2FappAuthHelperRedirect.html&client_id=idm-admin-ui&response_type=code&state=EsvW21tkQY&scope=openid%20fr%3Aidm%3A*&prompt=none&code_challenge=ySXaN7tjI9MDvH-WPm6fSTjyRqjBuUsNm7uGgcah3Kc&code_challenge_method=S256 HTTP/1.1" 400 1883 4354ms — Reply to this email directly, view it on GitHub <#710 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIMDMXK4EA3E32JR47E3OKL4MINXZAVCNFSM6AAAAACVKJYJV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTSMJQGI4TINRYGE> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>