Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10129

OAuth2 Device flow - user code verification is case insensitive

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0
    • Fix Version/s: 13.5.2, 14.1.1, 14.5.0
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 34, AM Sustaining Sprint 35, AM Sustaining Sprint 36, AM Sustaining Sprint 37, AM Sustaining Sprint 38, AM Sustaining Sprint 39, AM Sustaining Sprint 40
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      Reproduction steps:

      • Set OpenAM as OAuth2 provider
      • Register a OAuth2/OIDC client
      • Generate the user_code and device_code with:
      curl -k -v --data "response_type=token&scope=uid&client_id=oauthclient" "http://openam.example.com:18080/openam/oauth2/device/code"
      
      • Response received:
      {"interval":5,"device_code":"33074de4-9920-4235-acc8-0c6ac5b96722","verification_url":"http://openam.example.com:18080/openam/oauth2/device/user","user_code":"gQBTwz3a","expires_in":300}
      
      • Get a SSOtoken -> AQIC5w...
      • Verify user code but using lower cases:
      curl   -X POST   --header "Cookie: iPlanetDirectoryPro=AQIC5w...*"  --header "Content-Type: application/x-www-form-urlencoded" --data scope=uid   --data user_code=gqbtwz3a   --data response_type=token   --data client_id=myDeviceAgentProfile   --data decision=allow   --data csrf=AQIC5w...*   http://openam.example.com:18080/openam/oauth2/device/user?user_code=gqbtwz3a
      

      Expected behaviour

      The token is not found -> errorCode: "not_found" in response

      ...
       pageData = {
            locale: "*",
            errorCode: "not_found",
            realm : "/",
            baseUrl : "http://openam.example.com:18080/openam/XUI"
      ...
      

      Observed behaviour

      The token is found. -> done=true in the response

      ...
      pageData = {
            locale: "*",
            baseUrl : "http://openam.example.com:18080/openam/XUI",
            realm : "//XUI",
            done: true
      ...
      

        Attachments

          Activity

            People

            • Assignee:
              quentin.castel Quentin CASTEL [X] (Inactive)
              Reporter:
              nathalie.hoet Nathalie Hoet
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: