Red Hat SummitTroubleshoot Ansible automation portal authentication
Identify and resolve common authentication and login issues when connecting Ansible automation portal to Ansible Automation Platform.
Overview
Use the symptom table to identify your issue, then follow the resolution steps. If the table does not cover your issue, use the diagnostic procedure to check portal logs for additional information.
For issues specific to execution environment builder, see Troubleshoot execution environment builder. For issues specific to the RHEL appliance deployment, see Troubleshooting RHEL appliances.
Common authentication issues
| Symptom | Cause | Resolution |
|---|---|---|
| Sign In redirects to a browser certificate error page instead of the Ansible Automation Platform login form | Ansible Automation Platform uses a self-signed certificate or a certificate from an untrusted CA. The browser rejects the connection to the Ansible Automation Platform OAuth authorization endpoint (/o/authorize/). |
Before signing in to Ansible automation portal, open the Ansible Automation Platform URL directly in your browser (for example, https://aap-host/) and accept the certificate warning. After accepting, return to Ansible automation portal and click Sign In again. For production environments, use a CA-signed certificate on Ansible Automation Platform. |
Sign In completes at Ansible Automation Platform but returns to the portal with Failed to send POST request: fetch failed |
The portal backend cannot reach the Ansible Automation Platform OAuth token endpoint (/o/token/) because checkSSL is set to true and Ansible Automation Platform uses a self-signed certificate. The Node.js backend rejects the untrusted certificate during the authorization code exchange. |
Set checkSSL to false in both locations in the Helm chart values: under ansible.rhaap.checkSSL and under auth.providers.rhaap.production.checkSSL. Restart the portal deployment. See Configure checkSSL for self-signed certificates. |
Sign In completes at Ansible Automation Platform but returns to the portal with Auth response is missing cookie nonce |
The OAuth nonce cookie set during the authorization start was not sent back with the callback request. This can occur when the Ansible Automation Platform host is a bare IP address, when browser cookie policies block cross-site cookies, or when there is a protocol mismatch between the portal and Ansible Automation Platform URLs. | Verify that app.baseUrl and backend.baseUrl use the same protocol (https://). If Ansible Automation Platform is accessed by IP address, accept the certificate in your browser before starting the OAuth flow. Clear browser cookies for the portal domain and retry. |
Catalog sync fails with Failed to send fetch data: fetch failed (users and teams not synced from Ansible Automation Platform) |
The portal backend cannot reach the Ansible Automation Platform API because ansible.rhaap.checkSSL is true and Ansible Automation Platform uses a self-signed certificate. This is the same root cause as the OAuth token exchange failure. |
Set ansible.rhaap.checkSSL to false in the Helm chart values or app-config.yaml. Restart the portal deployment. Catalog sync runs on a schedule and resumes automatically after the restart. |
Portal shows Authenticated but no permissions or users see an empty interface after login |
Catalog synchronization has not completed, or the user does not exist in the portal catalog. The allowNewAAPUserSignIn resolver creates users automatically, but requires the catalog backend module to be functioning. |
Verify catalog sync is running without errors. Check that catalog.providers.rhaap is configured with the correct Ansible Automation Platform organization. Check logs for AapEntityProvider errors. If using the usernameMatchingUser resolver, verify the user exists in the portal catalog. |
OAuth login redirects to Ansible Automation Platform but Ansible Automation Platform returns invalid redirect_uri |
The redirect URI configured in the Ansible Automation Platform OAuth application does not match the portal callback URL. The redirect URI must be exactly https://portal-host/api/auth/rhaap/handler/frame. |
In Ansible Automation Platform, navigate to Administration > OAuth Applications, edit the application, and set the redirect URI to https://portal-host/api/auth/rhaap/handler/frame. Verify there are no trailing slashes or protocol mismatches. |
Portal pod logs show errors reaching Ansible Automation Platform but curl -k from the pod works |
checkSSL is true in the portal configuration. The -k flag in curl skips certificate verification, but the portal Node.js backend respects the checkSSL setting. |
Set checkSSL to false in both locations. See Configure checkSSL for self-signed certificates. |
| The login page shows Sign in with GitHub instead of Sign in with RHAAP, or both options appear | The app.baseUrl, backend.baseUrl, and backend.cors.origin values in the configuration do not match the URL used to access Ansible automation portal. This commonly happens when accessing the portal by IP address or through port-forwarding (for example, localhost:7007) but the configuration uses the OpenShift Container Platform route URL, or vice versa. The CORS mismatch can cause the RHAAP provider to fail silently, falling back to a GitHub provider if one is configured. |
For RHEL appliance deployments, see Troubleshooting RHEL appliances. |
Portal deployed with global._environment._development: true in Helm values |
The _development flag changes plugin image sources and catalog environment settings. It is intended for internal development and testing only. Production deployments must use _development: false and _production: true (the defaults). |
In the Helm chart values.yaml, verify the environment settings: Apply the corrected values with |
Configure checkSSL for self-signed certificates
Copy linkLink copied!
When Ansible Automation Platform uses a self-signed certificate or a certificate from an untrusted certificate authority, configure Ansible automation portal to skip TLS certificate verification for backend-to-Ansible Automation Platform communication. This setting affects only the portal backend and does not change browser behavior.
- Setting
checkSSLtofalsedisables TLS certificate verification between the portal backend and Ansible Automation Platform. Use this setting only in development, testing, or demo environments. - For production environments, use a CA-signed certificate on Ansible Automation Platform or add the Ansible Automation Platform CA certificate to the portal trust store. See Configure custom SSL certificates for the Ansible automation portal.
- You must set
checkSSLtofalsein two separate locations in the configuration. Missing either location causes different failures.
In your Helm chart values.yaml or app-config.yaml, locate and update both checkSSL settings:
ansible:
rhaap:
baseUrl: https://aap-host
checkSSL: false # Backend API calls to AAP (catalog sync, token exchange)
token: ${AAP_TOKEN}
auth:
providers:
rhaap:
production:
host: https://aap-host
checkSSL: false # OAuth authentication calls to AAP
clientId: ${OAUTH_CLIENT_ID}
clientSecret: ${OAUTH_CLIENT_SECRET}If you deployed with Helm, upgrade the release:
$ helm upgrade release-name chart -f values.yaml -n namespaceIf you edited the ConfigMap directly, restart the deployment:
$ oc rollout restart deployment/portal-deployment-name -n namespaceWait for the new pod to become ready:
$ oc rollout status deployment/portal-deployment-name -n namespaceVerify the configuration took effect by checking the pod logs for successful Ansible Automation Platform connectivity:
$ oc logs -n namespace deployment/portal-deployment-name -c backstage-backend | grep -i "rhaap\|AAP\|error"Successful catalog sync logs look like:
[catalog] info Fetching job templates from RH AAP.
[catalog] info [backstage-rhaap-common]: Executing get request to https://aap-host/api/controller/v2/job_templates...If you still see fetch failed errors, verify that the correct ConfigMap was updated and the pod restarted with the new configuration.
Accept the Ansible Automation Platform certificate in your browser
Setting checkSSL to false fixes backend communication but does not affect your browser. Before signing in to Ansible automation portal for the first time in a new browser session:
- Open a new tab and navigate directly to your Ansible Automation Platform URL (for example,
https://aap-host/). - Accept the browser certificate warning (click Advanced, then Proceed).
- Return to Ansible automation portal and click Sign In.
For RHEL appliance deployments, the
check_ssl cloud-init setting automatically mirrors to both configuration locations. If you edit app-config.production.yaml manually, you must update both locations.
Diagnose authentication failures
Copy linkLink copied!
If the symptom table does not match your issue, use the following steps to gather diagnostic information.
- Check portal backend logs for authentication errors:
$ oc logs -n namespace deployment/portal-deployment-name -c backstage-backend | grep -i "auth\|rhaap\|error\|fetch\|token" - Check for certificate-related failures from inside the pod:
$ oc exec -n namespace deployment/portal-deployment-name -c backstage-backend -- \ curl -k -s -o /dev/null -w "HTTP_CODE: %{http_code}\nSSL_VERIFY: %{ssl_verify_result}\n" \ https://aap-host/HTTP_CODE: 200confirms Ansible Automation Platform is reachable.SSL_VERIFY: 0means the certificate is trusted.SSL_VERIFY: 20means the issuer certificate is not in the trust store (self-signed CA).
- Verify the Ansible Automation Platform OAuth application configuration:
$ curl -k -s -u admin-user:password https://aap-host/api/gateway/v1/me/ | python3 -m json.toolA successful response confirms Ansible Automation Platform credentials are valid and the API is accessible.
For a complete list of common log messages and their meanings, see View Ansible automation portal logs for execution environment builder.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}