Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12412

Multi-valued LDAP attributes are not added to the OIDC id_token as expected

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1
    • Fix Version/s: 6.0.0, 5.5.2
    • Component/s: OpenID Connect
    • Labels:
    • Sprint:
      AM Sustaining Sprint 48, AM Sustaining Sprint 49
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Multi-valued LDAP attributes are not added to the OIDC id_token as expected.  Only the first value for the attribute is added and the others are discarded.

      How to reproduce the issue

      Simplest scenario:

      1). Install AM 5.5.1

      2). Edit an existing user with an LDAP browser and add the businessCategory attribute to the user.  This is of type OID 1.2.840.113556.1.2.102.3 which is the Directory String syntax type.  Add multiple values to this attribute for testing purposes.

      3). Edit the default 'OIDC Claims Script' and add businessCategory to this:

      claimAttributes = [
              "email": userProfileClaimResolver.curry("mail"),
              ...
              "businessCategory": userProfileClaimResolver.curry("businessCategory"),      

      ...and in the scopeClaimsMap here:

      "profile": [ "given_name", "zoneinfo", "family_name", "locale", "name", "businessCategory" ]
      

      4). Create an OIDC OAuth2 client in AM named 'test'

      5). Logout and send the following type of request via the browser for verification:

      http://openam.example.com:8080/AM551/oauth2/authorize?client_id=test&redirect_uri=http%3A%2F%2Fwww.example.com&response_type=code&scope=openid%20profile

      6). Note the following on the subsequent consent page, all is as expected here:

      Given name: test
      Family name: test
      Full name: test
      businessCategory: [test, test2, test3]

      7). Generate an id_token:

      curl -v --request POST --data "response_type=token%20id_token&scope=profile%20openid%20profile&client_id=test&save_consent=1&decision=Allow&nonce=1234&redirect_uri=http://www.example.com&csrf=VzB6-A5F...9AAJTMQAA*" --cookie "iPlanetDirectoryPro=VzB6-A5F...9AAJTMQAA*" http://openam.example.com:8080/AM551/oauth2/realms/root/authorize

      8). Check the resulting JWT and note the single initial value for businessCategory:

      {
        "at_hash": "pk72qEZl9iK0lglldAyONg",
        "sub": "test",
        "auditTrackingId": "9190bd23-b982-4aa9-8987-444edc410ce3-125960",
        "iss": "http://openam.example.com:8080/AM551/oauth2",
        "tokenName": "id_token",
        "given_name": "test",
        "nonce": "1234",
        "aud": "test",
        "azp": "test",
        "auth_time": 1517840128,
        "name": "test",
        "businessCategory": "test",
        "realm": "/",
        "exp": 1517845401,
        "tokenType": "JWTToken",
        "family_name": "test",
        "iat": 1517841801
      }

       

      Expected behaviour
      Multiple values for the attribute should be returned
      
      Current behaviour
      Single value is returned - "businessCategory": "test",
      

       

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              andy.itter Andy Itter
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: