Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12310

parameters are sent as part of query string for OAuth response_mode=form_post

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.1
    • Fix Version/s: 13.5.3, 14.1.2
    • Component/s: oauth2
    • Sprint:
      AM Sustaining Sprint 47
    • Story Points:
      1
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      We tested OAuth2 Authorization grant flow using Form Post Response Mode - https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseMode

      As per specification, action attribute of the auto submit form should contain only the client's redirection URI. But, we are seeing all the parameters like scope, client_id, response_type, realm, redirect_uri, code etc. 

       

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Setup a OAuth2 client
      2. Test Authorization grant flow by passing response_mode=form_post
      Expected behaviour
      In this mode, Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client, with the result parameters being encoded in the body using the application/x-www-form-urlencoded format. The action attribute of the form MUST be the Client's Redirection URI. The method of the form attribute MUST be POST.
      
      Current behaviour
      All the response parameters are included in query string as well as form values.
      

       

      Code analysis

      I think the below logic in org.forgerock.oauth2.restlet.OAuth2Representation#toRepresentation method is causing this issue. The same redirectReference parameter is passed for form's action method.

       

      /**
      * Converts the authorization token into a representation to send back to the user agent.
      *
      * @param context The Restlet context.
      * @param request The Restlet request.
      * @param response The Restlet response.
      * @param authorizationToken The authorization token.
      * @param redirectUri The redirect uri.
      * @return The representation to send to the user agent.
      */
      Representation toRepresentation(Context context, Request request, Response response,
      AuthorizationToken authorizationToken, String redirectUri) {
      
      final Form tokenForm = toForm(authorizationToken);
      
      final Reference redirectReference = new Reference(redirectUri);
      
      if (authorizationToken.isFragment()) {
      redirectReference.setFragment(tokenForm.getQueryString());
      } else {
      final Iterator<Parameter> iter = tokenForm.iterator();
      while (iter.hasNext()) {
      redirectReference.addQueryParameter(iter.next());
      }
      }
      
      if (isFormPostRequest(requestFactory.create(request))) {
      return getFormPostRepresentation(context, authorizationToken, redirectReference.toString());
      }
      
      final Redirector dispatcher = new Redirector(context, redirectReference.toString(),
      Redirector.MODE_CLIENT_FOUND);
      dispatcher.handle(request, response);
      
      return response == null ? null : response.getEntity();
      }
      
      private Representation getFormPostRepresentation(Context context, AuthorizationToken authorizationToken,
      String redirectUri) {
      Map<String, Object> dataModel = new HashMap<>();
      dataModel.put("redirectUri", redirectUri);
      dataModel.put("formValues", authorizationToken.getToken());
      
      final String reference = "templates/FormPostResponse.ftl";
      final TemplateRepresentation result = getTemplateFactory(context).getTemplateRepresentation(reference);
      if (result != null) {
      result.setDataModel(dataModel);
      }
      return result;
      }
      
      • Does not happen on 5.5.1 (fixed) *

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                Karthik.Nagarajan@thomsonreuters.com karthik nagarajan
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 16h
                  16h
                  Remaining:
                  Remaining Estimate - 16h
                  16h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified