Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11818

Oauth2 authn module incorrectly POST state parameter to token endpoint

    Details

    • Sprint:
      AM Sustaining Sprint 43
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      when using the Oauth2/OIDC login module against a third party AS, OpenAM posts the state parameter when exchanging the code for the access token. This leads to 400 bad requests against "strict" AS (eg. FranceConnect)

      How to reproduce the issue

      1. create login oauth2 module
      2. configure module against strict AS
      3. authenticate to OpenAM using this module
      4. authentication fails, logs mention the 400 "invalid request"

      Code analysis

      if you comment out this line in OAuthConfig.java, then this works again :

       

      org.forgerock.openam.authentication.modules.oauth2.OAuthConfig.java
      //                postParameters.put("state", csrfState);
      

        Attachments

          Activity

            People

            • Assignee:
              adam.heath Adam Heath
              Reporter:
              bertrand.carlier@solucom.fr bertrand carlier
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: