Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10585

The "claims" Request Parameter from the openid standard isn't functional

    XMLWordPrintable

    Details

    • Support Ticket IDs:

      Description

      Description

      OpenAM is currently not responding as described in the standard. Tests with claims in request parameter simply doesn't work at all. It either returns a 500 or ignore the claims send with the request.

      How to reproduce

      Just try to do the example from the standard, in our functional tests language, it would be:

      describe("Using claims request parameter", () -> {
                  beforeEach(() -> {
      
                      ClientAndServer mockServer = MockHttpServer.create();
                      mockServerUrl = "http://localhost:" + mockServer.getPort();
                      redirectUrl = mockServerUrl + "/redirect";
      
                      realm = Realm.create();
                      resourceOwner = User.builder().email("toto@toto.com").realm(realm).create(server);
                      OAuth2Client.Builder clientBuilder = OAuth2Client.builder()
                              .realm(realm)
                              .tokenEndpointAuthMethod(CLIENT_SECRET_POST)
                              .scopes("openid")
                              .redirectionUris(redirectUrl);
      
                      client = clientBuilder.create();
                      OAuth2ProviderService.builder()
                              .realm(realm)
                              .supportedClaims(true)
                              .create();
                  });
                  when("asking for extra id token claims", () -> {
                      only().it("responds with the claims in the id token", () -> {
                          ClaimsRequest claims = new ClaimsRequest()
                                  .addIdTokenClaims(new IndividualClaim("auth_time",  IS_ESSENTIAL_TRUE))
                                  .addIdTokenClaims(new IndividualClaim("toto",  new ValueClaimMember("bibi")));
      
                          FlowRequest request = flowRequest(client).redirectUri(redirectUrl).resourceOwner(resourceOwner)
                                  .scopes("openid").claims(claims).create();
                          AccessTokenResponse accessTokenResponse = flows.useAuthorizationCodeGrantForAccessToken(request);
                          JWSObject jwsObject = JWSObject.parse(accessTokenResponse.openIdToken.get());
                          assertThat(jwsObject.getPayload().toJSONObject()).containsKeys("auth_time");
                          assertThat(jwsObject.getPayload().toJSONObject()).containsKeys("toto");
                      });
                  });
      
                  when("asking for extra user info claims", () -> {
                      it("responds with the claims in it", () -> {
                          ClaimsRequest claims = new ClaimsRequest()
                                  .addUserInfoClaims(new IndividualClaim("email", IS_ESSENTIAL_TRUE));
      
                          FlowRequest request = flowRequest(client).redirectUri(redirectUrl).resourceOwner(resourceOwner)
                                  .scopes("openid").claims(claims).create();
                          AccessTokenResponse accessTokenResponse = flows.usePasswordGrantForAccessToken(request);
                          UserInfoResponse userInfoResponse = flows.useInfo(null, client, realm,
                                  accessTokenResponse.accessToken);
                          assertTrue("User info claims '" + userInfoResponse.getClaims() + "' doesn't contain email",
                                  userInfoResponse.getClaims().containsKey("email"));
                          AssertJUnit.assertEquals(userInfoResponse.getClaims().get("email"), resourceOwner.emails);
                      });
                  });
              });
      

      Expected result

      You should get the email claim in the id token and/or the user info endpoint response.

      Actual

      No extra claim

      Other kind of output also noticed, if you play a little bit with it

      {
      "error_description": "Error running OIDC claims script: java.util.concurrent.ExecutionException: javax.script.ScriptException: javax.script.ScriptException: java.lang.NullPointerException: Cannot invoke method call() on null object",
      "state": "af0ifjsldkj",
      "error": "not_found"
      }
      

      Resulting of trying to do a userinfo with the azp claim.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                phillcunnington Phill Cunnington
                Reporter:
                quentin.castel Quentin CASTEL
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: