Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11630

id_token values are space trimmed

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.1, 13.5.2
    • Fix Version/s: 13.5.2
    • Component/s: OpenID Connect
    • Labels:
    • Sprint:
      AM Sustaining Sprint 42
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      In 13.5.1 (but not in 13.5.0 or 14.1.1), it seems that when generated an id_token all the values in the claims are devoid of space. This is serious issue as all the claims now are giving wrong values. For example the user name say like "John Doe" will become "JohnDoe"

      How to reproduce the issue

      1. Install a OIDC client
      2. Setup a subject with a space in them like "demo lastname"
      3. Access this OIDC client and get it id_token
      4. Check the claims and make sure this matches the tokeninfo

      Example: using passsword grant and get the idtoken and decode to see if the claims is correct

      $ curl -s -X POST -u myOIDCClient:password -H 'Content-type: application/x-www-form-urlencoded' 'http://openam.example.com:8080/openam/oauth2/access_token?grant_type=password&username=demo&password=changeit&scope=profile%20openid&realm=&response_type=id_token'
      
      Expected behaviour
      Claims should be same as tokeninfo. And not devoid of space
      {
        "sub": "demo",
        "name": "demo fullname",
        "given_name": "demo firstname",
        "family_name": "demo lastname"
      }
      
      Current behaviour
      the id_token fr the claims are: without space: This is part of the id_token
      
      {"given_name":"demofirstname",
      "name":"demofullname","realm":"/","exp":1503906971,"tokenType":"JWTToken","iat":1503903371,"family_name":"demolastname"
      

      Work around

      None. Need a fix.

      Code analysis

      regression due to -COMMONS-144- where

      https://stash.forgerock.org/projects/COMMONS/repos/forgerock-commons/browse/json-web-token/src/main/java/org/forgerock/json/jose/jwt/JWObject.java?at=refs%2Ftags%2F20.3.1

          @Override
          public String toString() {
              return jsonValue.toString().replaceAll("\\s+", "");
          }
      
      

      This is in 13.5.1 and not affecting the master (14.x)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: