Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11818

Oauth2 authn module incorrectly POST state parameter to token endpoint

    XMLWordPrintable

    Details

    • AM Sustaining Sprint 43
    • 3
    • No
    • No
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      when using the Oauth2/OIDC login module against a third party AS, OpenAM posts the state parameter when exchanging the code for the access token. This leads to 400 bad requests against "strict" AS (eg. FranceConnect)

      How to reproduce the issue

      1. create login oauth2 module
      2. configure module against strict AS
      3. authenticate to OpenAM using this module
      4. authentication fails, logs mention the 400 "invalid request"

      Code analysis

      if you comment out this line in OAuthConfig.java, then this works again :

       

      org.forgerock.openam.authentication.modules.oauth2.OAuthConfig.java
      //                postParameters.put("state", csrfState);
      

        Attachments

          Activity

            People

            adam.heath Adam Heath
            bertrand.carlier@solucom.fr bertrand carlier [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: