Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12135

OIDC token generated with datastore module takes case from request rather than from the datastore

    Details

    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 46, AM Sustaining Sprint 47
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      No (add reasons in the comment)

      Description

      Bug description

      _When using the datastore module authentication is case insensitive as per the LDAP schema. So for instance, the user can authenticate with "USER.1" even though the user in the datastore is stored as "user.1". When using OIDC however and requesting a token, the case of the authentication request is used to populate the sub claim. OIDC spec states that the sub claim is case sensitive (http://openid.net/specs/openid-connect-core-1_0.html#IDToken)._

      How to reproduce the issue

      1. Setup the OIDC provider and client
      2. Using implicit flow, request an OIDC token:

       

      curl -X POST \
       https://am.identity-dynamics.com:443/am/oauth2/realms/root/realms/customers/access_token \
       -H 'authorization: Basic bXlDbGllbnQ6cGFzc3dvcmQ=' \
       -H 'cache-control: no-cache' \
       -H 'content-type: application/x-www-form-urlencoded' \
       -d 'grant_type=password&username=USER.1&password=password&scope=openid%20profile'

       

      3. Decode the id_token (jwt.io):

      {
       "at_hash": "8rGNqfLug1mUZ2KashPjZA",
       "sub": "USER.1",
       "auditTrackingId": "64782682-bb84-46f1-be30-b40b8a7e61dd-915",
       "iss": "https://am.identity-dynamics.com:443/am/oauth2/customers",
       "tokenName": "id_token",
       "given_name": "Aaren",
       "aud": "myClient",
       "updated_at": "20171111055015Z",
       "azp": "myClient",
       "auth_time": 1507137309,
       "name": "Aaren Atp",
       "realm": "/customers",
       "exp": 1507142101,
       "tokenType": "JWTToken",
       "family_name": "Atp",
       "iat": 1507138501,
       "forgerock": {
       "sig": "&!2070!ndQDF$I{0g<HL?Vta0@&.msd$ee$BcvT7"
       }
      }
      Expected behaviour
      sub claim is populated from the datastore, not the incoming authentication request.
      
      Current behaviour
      The sub claim is populated using the incoming request, and consequently the sub claim contains the same case as is used in the incoming request.
      
      Issue occurs regardless of flow used - auth code and implicit were tested with the same result

      Work around

      Use of the LDAP authentication module rather than the datastore module, which is recommended best practice anyway.

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                bradley.tarisznyas Brad Tarisznyas
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: