Documentation

OAuth based client credentials rotation works in Author but not in Publish

Last update: Wed Jun 18 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

When rotating OAuth client credentials in Adobe Experience Manager (AEM) Forms, authentication fails on the Publish instance despite working in Author. This issue is typically caused by mismatched HMAC keys between instances, which prevents proper decryption of refresh tokens. This article explains the root cause and provides a resolution to restore OAuth functionality.

Description description

Environment

  • Adobe Experience Manager (AEM) Forms, v6.5
  • Managed Services

Issue/Symptoms

After rotating the OAuth based client credentials in Author and replicating the configuration to Publish, authentication in Publish failed with the following error:

[ 0]  POST /content/forms/af/company-forms/<test-form>/jcr:content/guideContainer.af.dermis HTTP/1.1 com.adobe.aemds.guide.addon.expeditor.servlet.ExpEditorServiceManager Error while making web service related call com.adobe.aem.dermis.exception.DermisException: com.adobe.aemfd.dermis.authentication.exception.AuthenticationException: AEM-AUT-001-004: Failed to fetch access token for oAuth. ERROR
[ xx.xx.x.xx [ xxxxxxxxxxxx]  POST /content/forms/af/company-forms/<test-form>/jcr:content/guideContainer.af.dermis HTTP/1.1]  com.adobe.forms.foundation.oauth.model.OAuthConfigSlingModel Error while decrypting the Refresh Token com.adobe.granite.crypto.CryptoException: Cannot convert byte data

Cause

The issue was traced to a failure in fetching access tokens due to outdated refresh tokens stored in memory. The HMAC key values were inconsistent between Author and Publish, causing cryptographic parsing issues.

Resolution resolution

Try the following steps to solve the issue:

  1. Sync HMAC keys between Author and Publish instances. Ensure the HMAC keys are identical on both the Author and Publish instances when using the same OAuth credentials.

  2. Restart the Publish instance. Without a restart, the default workflow is triggered, which fails to clear in-memory tokens:

    1. The system first checks for an in-memory token. If an outdated token is found, it attempts to use it but fails to establish a connection.
    2. If no token is found in memory, it checks the repository under cloudconfig/<respective configuration> and tries to connect using the stored credentials.
    3. If both of the above attempts fail, the system falls back to creating a new token using credentials from the cloud/OSGI configuration on the Publish instance. If successful, it updates the token in the CRX repository.

  3. To prevent this issue from occurring always ensure HMAC keys are synchronized across all AEM instances, especially after backups or restoration tasks.

    1. Go to /system/console/bundles in AEM Author and locate the bundle named Adobe Granite Crypto Bundle Key Provider (com.adobe.granite.crypto.file). Note the bundle number (e.g. 20).
    2. On the AEM filesystem, navigate to: <repository-folder>/crx-quickstart/launchpad/felix/bundle20 (replace 20 with the actual bundle number from the previous step).
    3. Inside the data folder, copy the two files: hmac and master.
    4. Repeat the process on each target AEM instance, replacing their hmac and master files with the copied versions.
    5. After replacing the files, restart the AEM instance.

By implementing these steps, OAuth flow is successfully re-established on Publish after credential rotation.

AEM 6.5 Crypto Support in Community Adobe Experience Manager Sites & More

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f