Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10184

OpenID Connect id_token not saved in anonymous session

    Details

      Description

      1) Enable message-level Session debugging
      2) Configure Social Authentication using Google
      3) Edit the Authentication Module for GoogleSocialAuthentication

      • disable "Create account if it does not exist"
      • enable "Map to anonymous user"

      4) Login using Google
      5) Open the Session debug log and note the content of the Session, something like so:

      SESSION NOTIFICATION : <Session sid="AQIC5wM2LY4Sfcy5pg-dy1u7L3VwVx1JzKabqyFE9hOT4ME.*AAJTSQACMDEAAlNLABQtMzAxNDQyMDE1ODk1NjU1Nzk4NQACUzEAAA..*" stype="user" cid="id=anonymous,ou=user,dc=example,dc=com" cdomain="dc=example,dc=com" maxtime="120" maxidle="30" maxcaching="3" timeidle="0" timeleft="6861" state="destroyed">
      <Property name="CharSet" value="UTF-8"></Property>
      <Property name="UserId" value="anonymous"></Property>
      <Property name="FullLoginURL" value="/openam?service=GoogleSocialAuthenticationService&amp;realm=/&amp;authIndexType=service&amp;authIndexValue=GoogleSocialAuthenticationService"></Property>
      <Property name="cookieSupport" value="true"></Property>
      <Property name="AuthLevel" value="0"></Property>
      <Property name="SessionHandle" value="shandle:AQIC5wM2LY4Sfczsz92CCS-9y1RFAh2aGZIUYuOmxmpSIVc.*AAJTSQACMDEAAlNLABQtMzAxNDQyMDE1ODk1NjU1Nzk4NQACUzEAAA..*"></Property>
      <Property name="givenName" value="Jake"></Property>
      <Property name="uid" value="105980556059657539949"></Property>
      <Property name="OAuthToken" value="ya29.CjGvAwupo.....YTveNN0SZUkMTrpUy36iYJELnDDN2_r8LtD920_"></Property>
      <Property name="mail" value="jake.feasel@forgerock.com"></Property>
      <Property name="cn" value="Jake Feasel"></Property>
      <Property name="UserToken" value="anonymous"></Property>
      <Property name="loginURL" value="/openam/UI/Login"></Property>
      <Property name="IndexType" value="service"></Property>
      <Property name="Principals" value="anonymous"></Property>
      <Property name="Service" value="GoogleSocialAuthenticationService"></Property>
      <Property name="sun.am.UniversalIdentifier" value="id=anonymous,ou=user,dc=example,dc=com"></Property>
      <Property name="amlbcookie" value="01"></Property>
      <Property name="Organization" value="dc=example,dc=com"></Property>
      <Property name="Locale" value="en_US"></Property>
      <Property name="HostName" value="127.0.0.1"></Property>
      <Property name="AuthType" value="GoogleSocialAuthentication"></Property>
      <Property name="sn" value="Feasel"></Property>
      <Property name="Host" value="127.0.0.1"></Property>
      <Property name="UserProfile" value="Required"></Property>
      <Property name="AMCtxId" value="552792713a0f6a6701"></Property>
      <Property name="clientType" value="genericHTML"></Property>
      <Property name="OAuth2logoutBehaviour" value="prompt"></Property>
      <Property name="authInstant" value="2016-12-09T20:29:13Z"></Property>
      <Property name="Principal" value="id=anonymous,ou=user,dc=example,dc=com"></Property>
      </Session>
      

      Note that there is the OAuth2 access token present in the session, but there is no OIDC id_token.

      Note this code from openam-authentication/openam-auth-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/OAuth.java:

                          if (user == null && config.getCreateAccountFlag()) {
                              if (config.getPromptPasswordFlag()) {
                                  setUserSessionProperty(PROFILE_SERVICE_RESPONSE, profileSvcResponse);
                                  if (config.isOpenIDConnect()) {
                                      setUserSessionProperty(OPENID_TOKEN, idToken);
                                  }
                                  return SET_PASSWORD_STATE;
                              } else {
      

      The logic is such that the OPENID_TOKEN will only be added to the session when creating a new user. It should be available for anonymous sessions too, so that (for example) a Post Auth Process class can read it and do something useful with it.

        Attachments

          Activity

            People

            • Assignee:
              jake.feasel Jake Feasel
              Reporter:
              jake.feasel Jake Feasel
              QA Assignee:
              Richard Hruza
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: