Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11286

During OIDC flow the presence of advice results in a redirect loop

    XMLWordPrintable

    Details

    • Rank:
      1|hztn47:
    • No
    • Yes
    • Yes
    • Yes and I used the same an in the description

      Description

      When policy evaluation returns advice to agents, agents 5.0.0 redirects the user back to the OIDC authorize endpoint so that the session can be upgraded appropriately, with regards to the passed advice; the advice is passed as url encoded XML as an ACR value.

      When the OIDC code validates resource owner session, it checks whether the session needs upgrade, partly by introspecting the presence of the ACR value (https://stash.forgerock.org/projects/OPENAM/repos/openam/browse/openam-oauth2/src/main/java/org/forgerock/oauth2/core/ResourceOwnerSessionValidator.java#276). If the ACR value contains a COMPOSITE value, it always returns true that the session needs upgrading (https://stash.forgerock.org/projects/OPENAM/repos/openam/browse/openam-core/src/main/java/org/forgerock/openam/authentication/SessionUpgradeVerifier.java?at=14.0.0#50). 

      The result of this sends the user to the login pages. However, given the ACR values are required to be maintained in the gotoUrl (in order that they be included in the created ID token JWT for validation by the client), after the user enters their credentials and sent back to the authorize endpoint, the validation yet again sees the ACR advice value and proceeds to send the user back to the login screen. And now it's in a redirect loop.

        Attachments

          Issue Links

            Activity

              People

              jamesphillpotts James Phillpotts
              apforrest Andrew Forrest
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: