Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12784

ProviderConfiguration is not spec compliant

    XMLWordPrintable

    Details

    • Sprint:
      AM Sustaining Sprint 51, AM Sustaining Sprint 52
    • Story Points:
      5
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      Yes

      Description

      Bug description

      _OIDC provider configuration does not seem to be spec compliant https://openid.net/specs/openid-connect-discovery-1_0.html
      Especially sections 4.1, 4.2, 4.3
      https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
      https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
      https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation

      seems to be not fully compliant.

      How to reproduce the issue

      1. configure AM 5.1.1
      2. create sub-realm 'sub1'
      3. create fqdnMappig for sub-realm 'sub1'
      4. configure OIDC provider for sub-realm 'sub1'
      5. request OIDC provider configuration for sub-realm 'sub1'
      Expected behaviour
      Provider Configuration response should match section 4.3 of the spec
      Current behaviour
      curl http://sub1-am511.test.xyz:8080/am/oauth2/.well-known/openid-configuration
...
{
  "request_parameter_supported": true,
  "claims_parameter_supported": false,
  "introspection_endpoint": "http://sub1-am511.test.xyz:8080/am/oauth2/realms/root/realms/sub1/introspect",
  "check_session_iframe": "http://sub1-am511.test.xyz:8080/am/oauth2/realms/root/realms/sub1/connect/checkSession",
  "scopes_supported": [
    "address",
    "phone",
    "openid",
    "profile",
    "email"
  ],
  "issuer": "http://sub1-am511.test.xyz:8080/am/oauth2/sub1",
...}

        Attachments

          Issue Links

          caused

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-13991 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-15502 JWT accepted audience does not allow for URLs made of the DNS alias and realm path

          • Major - Major loss of function.
          • Open

            Activity

              People

              Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              bthalmayr Bernhard Thalmayr
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: