Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11340

Password grant flow is failing after fix of OPENAM-10782

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.2, 14.1.1, 14.5.0
    • Fix Version/s: 13.5.2, 14.1.1, 14.5.0
    • Component/s: oauth2
    • Labels:
    • Environment:
      CentOS 7
      java version "1.8.0_131"
      Apache Tomcat Version 7.0.78
      OpenAM 14.1.1-M3
    • Sprint:
      AM Sustaining Sprint 40
    • Story Points:
      3
    • Needs backport:
      Yes
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Reggresion from endsession problem described in -OPENAM-10782- affecting the password grant flow only.

      Configuration:

      1. add Top-level Realm - Configure OAuth Provider - Configure OpenID Connect
      2. add Top-level Realm - Applications - OAuth 2.0 - New Agent
        - myClientID/password
        - add rediretion URIs
        - add scopes - openid, profile
        - signing algorithm to HS265
      3. Top-level Realm - Services - OAuth2 Provider - Core - Enable "Issue Refresh Tokens"

      Steps to reproduce:

      1. login

      curl --request POST --user "MyClientID:password" --data 'grant_type=password&username=demo&password=changeit&scope=openid%20profile' "http://openam.example.com:8080/openam/oauth2/access_token" | python -m json.tool

      2. refresh id_token - replace ??? with access_token from last result

      curl --request POST --user "MyClientID:password" --data 'grant_type=refresh_token&refresh_token=???&scope=openid%20profile' "http://openam.example.com:8080/openam/oauth2/access_token" | python -m json.tool

      3. logout, again replace ??? with token_id from last result

      curl "http://openam.example.com:8080/openam/oauth2/connect/endSession?id_token_hint=???"

      I see "Unable to get SsoTokenManager" error on standard output and "The request could not be understood by the server due to malformed syntax" in the log.
      Expected behavior - the end session should return a success. (in the case of the password grant flow, no session is actually created)

      tail -1 access.audit.json
      {"realm":"/","timestamp":"2017-06-28T13:24:35.597Z","transactionId":"28afa38f-f069-4443-b867-de6f5ae1ddd9-356","eventName":"AM-ACCESS-OUTCOME","component":"OAuth","userId":"demo","response":{"status":"FAILED","statusCode":"400","elapsedTime":70,"elapsedTimeUnits":"MILLISECONDS","detail":{"reason":"The request could not be understood by the server due to malformed syntax"}},"client":{"ip":"10.0.2.2","port":52000},"server":{"ip":"10.0.2.15","port":8080},"http":{"request":{"secure":false,"method":"GET","path":"http://openam.example.com:8080/openam/oauth2/connect/endSession","queryParameters":{},"headers":{"accept":["*/*"],"host":["openam.example.com:8080"],"user-agent":["curl/7.47.0"]},"cookies":{}}},"trackingIds":["28afa38f-f069-4443-b867-de6f5ae1ddd9-307"],"_id":"28afa38f-f069-4443-b867-de6f5ae1ddd9-358"}

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                lubomir.mlich Ľubomír Mlích
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: