Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12164

Google social auth fails when authorization code is double encoded

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.1
    • Fix Version/s: 13.5.2
    • Component/s: authentication, oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 46
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Google social auth fails when authorization code is double encoded.

      Not 100% reliable to replicate, sometimes the authentication is successful, code will look like:

       

      amAuth:12/01/2017 04:59:10:214 AM UTC: Thread[http-nio-127.0.0.1-8080-exec-18,5,main]
       OAuth.process(): code parameter: 4/uWISXNSlaVVfhZSDV3TgD_9vNIASTH_lTH19E9YztWI
      amAuth:12/01/2017 04:59:10:215 AM UTC: Thread[http-nio-127.0.0.1-8080-exec-18,5,main]
      OAuth.getContentStreamByPOST: POST parameters = {code=4%2FuWISXNSlaVVf...
      

       

      On failure:

       

      amAuth:12/01/2017 04:50:11:959 AM UTC: Thread[http-nio-127.0.0.1-8080-exec-11,5,main]
       OAuth.process(): code parameter: 4%2FGIdTLmNs2eCfGwpMRvlHAEfkxG3TjShqmM7SYsv8GP8 
      amAuth:12/01/2017 04:50:11:959 AM UTC: Thread[http-nio-127.0.0.1-8080-exec-11,5,main] 
      OAuth.getContentStreamByPOST: POST parameters = {code=4%252FGIdTLm...
      

      How to reproduce the issue

      1. Configure google social auth using dashboard wizard and google client (blog with quick instructions https://openiam.wordpress.com/2016/08/05/openam-13-and-social-login-google/)
      2. Try to log in using the newly created Google button
      3. Give good google credentials
      4. Authentication Failed!

      Since this is unreliable, I found that clearing the browser cache or trying to authenticate in a totally different browser for the first time tended to show the issue more often. 

       

       Code analysis

      I stuck a break point around line 263 in OAuth.java. On the cases that fail, the 'code' is already encoded in the json value retrieved from the request, and then it is encoded again later on, causing the failure. __ 

      org.forgerock.openam.authentication.modules.oauth2$OAuth.java
      final JsonValue jval = JsonValueBuilder.toJsonValue(request.getParameter("jsonContent"));
      csrfState = jval.get("state").asString();
      code =jval.get(PARAM_CODE).asString();
      

        Attachments

          Activity

            People

            • Assignee:
              jonthomas Jonathan Thomas
              Reporter:
              joe.starling Joe Starling
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: