-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 14.5.0, 14.5.1, 6.0.0
-
Component/s: OpenID Connect
Bug description
Attempting to use the OIDC prompt=login hint during an OAuth 2.0 device flow fails as the user is not able to complete the flow. Not sure when this bug was introduced, but at least affects 5.5 and 6.
How to reproduce the issue
- Setup AM for OpenID Connect and create a client with "openid" scopes
- Open a browser and login to the correct realm
- Begin a device flow requesting scope=openid and prompt=login:
curl -X POST -d 'client_id=test&scope=openid&response_type=code&prompt=login' https://openam.example.com:8443/openam/oauth2/realms/root/realms/edge/device/code
- Navigate to the verification_uri and enter the user code
Expected behaviour
User should be prompted to authenticate again and then approve the request.
Current behaviour
User is always prompted to login again even if they already have a session and prompt=login is not specified. If it is specified then the user is prompted to login twice and then the flow fails with "invalid_request Invalid Request, duplicate request parameter found : user_code". The URL does at that point contain a duplicate user_code parameter:
device/user?user_code=4m45mQGz&user_code=4m45mQGz
Work around
Don't use prompt=login as that is the only behaviour anyway.