Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11997

Document changed behavior when JWK URI is not resolvable (and HSxxx is used)

    Details

    • Target Version/s:
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When using HMAC for signing JWT tokens, previously (in version 5.1.1) it did not matter whether or not the JWK URI was resolvable or not. However in 5.5 this behaviour is different and when not resolvable and trying to retrieve an access token a 500 internal server error is encountered and the following payload is returned:

      {
      "error_description": "server_error",
      "error": "server_error"
      }

      This worked in 5.1.1.

      Suggest updating documentation to make the change in behaviour clear.

      How to reproduce the issue

      1. Configure an OAuth2/OIDC provider and client (using profile and openid as scopes)
      2. Configure the JWT URI in the client to a non-resolvable address
      3. Authenticate/authorize and request an access token
      Expected behaviour
      access (+ refresh token) and ID Token returned
      
      Current behaviour
      The following is returned:
      {
      "error_description": "server_error",
      "error": "server_error"
      }
      
      The OAuth2Provider log has (note am5.example.com is not resolvable):
      ERROR: Failed to update JwkStore for jwks URI http://am5.example.com:8080/am/oauth2/customers/connect/jwk_uri
      org.forgerock.json.jose.exceptions.FailedToLoadJWKException: Unable to load the JWK location over HTTP
      at org.forgerock.json.jose.jwk.JWKSetParser.gatherHttpContents(JWKSetParser.java:84)
      at org.forgerock.json.jose.jwk.JWKSetParser.jwkSet(JWKSetParser.java:96)
      at org.forgerock.json.jose.jwk.store.JwksStore.reloadJwks(JwksStore.java:85)
      
      

      Work around

      Ensure JWK URL is resolvable even if using HSXXX signing algorithm.

      Alternatively, setting the JWK URL blank seems to work.

       

        Attachments

          Activity

            People

            • Assignee:
              cristina.herraz Cristina Herraz
              Reporter:
              bradley.tarisznyas Brad Tarisznyas
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: