Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12075

OIDC without a datastore returns "User must be authenticated to issue ID tokens"


    • Target Version/s:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      It's not possible to get an OIDC token without a valid datastore.
      In some cases the user profile data may, for example, come from a web service accessed in a claims script, but it seems it's not possible to work without also modifying the default scope validator class.

      How to reproduce the issue

      1. Configure an LDAP authentication module and use in default login chain in the root realm
      2. Delete (or disable by giving invalid credentials) the realm's datastore
      3. Set the realm's user profile setting to 'ignore'
      4. Configure OIDC service and client
      5. curl -X POST --user client:cangetin -H 'Cache-Control: no-cache' -d 'grant_type=password&username=demo&password=changeit&scope=openid' -v http://scope.fr.local:8080/openam/oauth2/access_token
      Expected behaviour
      Get an id_token
      Current behaviour
      {"error_description":"User must be authenticated to issue ID tokens.","error":"server_error"}

      Work around

      Avoid use of the identityManager class in a custom scope validator. Don't use a claims script that expects the 'identity' variable.

      Code analysis

      AM 5.1.1 appears to hit this earlier since OPENAM-10585 means userinfo is called from StatefulTokenStore.createOpenIDToken()

              UserInfoClaims claims;
              try {
                  claims = providerSettings.getUserInfo(clientRegistration, request.getToken(AccessToken.class), request);
              } catch (UnauthorizedClientException | InvalidRequestException e) {
                  throw failureFactory.getException(request, e.getMessage());

      The default getUserInfo uses the identityManager class that expects a valid datastore.

      With 5.0.0 it's possible to get an id_token, though an explicit call to the userinfo endpoint will return.

      {"error_description":"Not able to get resource owner from OpenAM","error":"unauthorized_client"}


          Issue Links



              • Assignee:
                david.luna@forgerock.com David Luna
                andrew.dunn Andrew Dunn [X] (Inactive)
              • Votes:
                0 Vote for this issue
                7 Start watching this issue


                • Created: