Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12209

'acr' and 'acr_sig' parameters can become duplicated during step-up authn, should not be present in url

    XMLWordPrintable

    Details

    • Priceless Badger - 2018.8, Xenodochial Wilson - 2018.8
    • 5
    • Yes

      Description

      Bug description

      These new parameters introduced as a result of OPENAM-11286 are appearing as parameters in the oauth2/authorize request

      How to reproduce the issue

      1. Configure OAuth2 Provider service + client
      2. Configure 2 x acr_values maps in the service.
        loa-1.0 to a generic LDAP chain.
        loa-1.1 to a chain containing custom auth module for registering users.
      3. Begin authz code flow (oauth2/authorize?acr_values=loa-1.0...etc), and receive redirect to the login page
      4. Choose a custom 'register account' button which redirects to 'oauth2/authorize?acr_values=loa-1.1...'
      5. Now in the resulting URL we have: 'acr_values=loa-1.1&acr=loa-1.1&acr_sig=nWocP7bnOyyzE0gxrl...&acr=loa-1.1&acr_sig=HmlUR8J2doSArW13...'
      6. This causes an error:

      Invalid Request, duplicate request parameter found : acr

      Expected behaviour

      No acr_sig values in the url at all

      Current behaviour

      2 x values

      Work around

      Potentially remove the problem parameters with some custom code

        Attachments

          Issue Links

            Activity

              People

              richard.ward Richard Ward
              joe.starling Joe Starling
              Votes:
              1 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: