-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 14.0.0
-
Fix Version/s: 14.0.0
-
Component/s: authentication, OpenID Connect
1) Enable message-level Session debugging
2) Configure Social Authentication using Google
3) Edit the Authentication Module for GoogleSocialAuthentication
- disable "Create account if it does not exist"
- enable "Map to anonymous user"
4) Login using Google
5) Open the Session debug log and note the content of the Session, something like so:
SESSION NOTIFICATION : <Session sid="AQIC5wM2LY4Sfcy5pg-dy1u7L3VwVx1JzKabqyFE9hOT4ME.*AAJTSQACMDEAAlNLABQtMzAxNDQyMDE1ODk1NjU1Nzk4NQACUzEAAA..*" stype="user" cid="id=anonymous,ou=user,dc=example,dc=com" cdomain="dc=example,dc=com" maxtime="120" maxidle="30" maxcaching="3" timeidle="0" timeleft="6861" state="destroyed"> <Property name="CharSet" value="UTF-8"></Property> <Property name="UserId" value="anonymous"></Property> <Property name="FullLoginURL" value="/openam?service=GoogleSocialAuthenticationService&realm=/&authIndexType=service&authIndexValue=GoogleSocialAuthenticationService"></Property> <Property name="cookieSupport" value="true"></Property> <Property name="AuthLevel" value="0"></Property> <Property name="SessionHandle" value="shandle:AQIC5wM2LY4Sfczsz92CCS-9y1RFAh2aGZIUYuOmxmpSIVc.*AAJTSQACMDEAAlNLABQtMzAxNDQyMDE1ODk1NjU1Nzk4NQACUzEAAA..*"></Property> <Property name="givenName" value="Jake"></Property> <Property name="uid" value="105980556059657539949"></Property> <Property name="OAuthToken" value="ya29.CjGvAwupo.....YTveNN0SZUkMTrpUy36iYJELnDDN2_r8LtD920_"></Property> <Property name="mail" value="jake.feasel@forgerock.com"></Property> <Property name="cn" value="Jake Feasel"></Property> <Property name="UserToken" value="anonymous"></Property> <Property name="loginURL" value="/openam/UI/Login"></Property> <Property name="IndexType" value="service"></Property> <Property name="Principals" value="anonymous"></Property> <Property name="Service" value="GoogleSocialAuthenticationService"></Property> <Property name="sun.am.UniversalIdentifier" value="id=anonymous,ou=user,dc=example,dc=com"></Property> <Property name="amlbcookie" value="01"></Property> <Property name="Organization" value="dc=example,dc=com"></Property> <Property name="Locale" value="en_US"></Property> <Property name="HostName" value="127.0.0.1"></Property> <Property name="AuthType" value="GoogleSocialAuthentication"></Property> <Property name="sn" value="Feasel"></Property> <Property name="Host" value="127.0.0.1"></Property> <Property name="UserProfile" value="Required"></Property> <Property name="AMCtxId" value="552792713a0f6a6701"></Property> <Property name="clientType" value="genericHTML"></Property> <Property name="OAuth2logoutBehaviour" value="prompt"></Property> <Property name="authInstant" value="2016-12-09T20:29:13Z"></Property> <Property name="Principal" value="id=anonymous,ou=user,dc=example,dc=com"></Property> </Session>
Note that there is the OAuth2 access token present in the session, but there is no OIDC id_token.
Note this code from openam-authentication/openam-auth-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/OAuth.java:
if (user == null && config.getCreateAccountFlag()) {
if (config.getPromptPasswordFlag()) {
setUserSessionProperty(PROFILE_SERVICE_RESPONSE, profileSvcResponse);
if (config.isOpenIDConnect()) {
setUserSessionProperty(OPENID_TOKEN, idToken);
}
return SET_PASSWORD_STATE;
} else {
The logic is such that the OPENID_TOKEN will only be added to the session when creating a new user. It should be available for anonymous sessions too, so that (for example) a Post Auth Process class can read it and do something useful with it.