Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10584

Supported claims and scopes in OAuth2|OpenID provider are not hot swappable

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.5.0, 14.0.0
    • Fix Version/s: None
    • Component/s: oauth2, OpenID Connect
    • Labels:

      Description

      Description

      If you modify the Supported scopes or Supported claims in the OAuth2|OpenID provider, you will need to restart OpenAM

      How to reproduce

      • Create an OAuth2|openid provider
      • Create an OAuth2 client
      • Do an OAuth2 request
      curl -X POST -H "Accept: application/x-www-form-urlencoded" -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -H "Postman-Token: 2f339795-3e61-f041-6ec6-0db7b4aa61d7" -d 'client_id=myClientID&client_secret=password&grant_type=password&username=demo&password=changeit&scope=profile openid&claims= {    "userinfo":     {      "given_name": {"essential": true}%2C      "name": null%2C      "email": {"essential": true}%2C     }%2C    "id_token":     {      "azp": {"essential": true}%2C     }   }' "http://openam.example.com:14080/openam/oauth2/access_token"
      

      the azp is not in the supported claims by default, therefore it fails (that's correct behaviour).

      • Then add the azp in the supported claims
      • try the request again:

      Expected result

      You don't get the error "Requested claims must be allowed by the client's configuration"

      Actual result

      {
        "error_description": "Requested claims must be allowed by the client's configuration",
        "error": "invalid_request"
      }
      

      Code investigation

      RealmOAuth2ProviderSettings is not implementing a listener but is implementing a cache system, especially for those two attributes:

          private Set<String> supportedScopesWithoutTranslations;
          private Set<String> supportedClaimsWithoutTranslations;
      

      I'm also seeing a third one, more generic:

          private final Map<String, Set<String>> attributeCache = new HashMap<String, Set<String>>();
      

      So I'm suspecting scopes and claims are not the only one affected.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              quentin.castel Quentin CASTEL
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: