-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1
-
Component/s: OpenID Connect
Bug description
_OIDC provider configuration does not seem to be spec compliant https://openid.net/specs/openid-connect-discovery-1_0.html
Especially sections 4.1, 4.2, 4.3
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation
seems to be not fully compliant.
How to reproduce the issue
- configure AM 5.1.1
- create sub-realm 'sub1'
- create fqdnMappig for sub-realm 'sub1'
- configure OIDC provider for sub-realm 'sub1'
- request OIDC provider configuration for sub-realm 'sub1'
Expected behaviour
Provider Configuration response should match section 4.3 of the spec
Current behaviour
curl http://sub1-am511.test.xyz:8080/am/oauth2/.well-known/openid-configuration ... { "request_parameter_supported": true, "claims_parameter_supported": false, "introspection_endpoint": "http://sub1-am511.test.xyz:8080/am/oauth2/realms/root/realms/sub1/introspect", "check_session_iframe": "http://sub1-am511.test.xyz:8080/am/oauth2/realms/root/realms/sub1/connect/checkSession", "scopes_supported": [ "address", "phone", "openid", "profile", "email" ], "issuer": "http://sub1-am511.test.xyz:8080/am/oauth2/sub1", ...}
- caused
-
OPENAM-13991 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
-
- Resolved
-
- is related to
-
OPENAM-15502 JWT accepted audience does not allow for URLs made of the DNS alias and realm path
-
- Open
-