Bug description
DNS alias results in audience validation failure for clients authenticating using JWT
How to reproduce the issue
- Deployed AM as http://openam551.example.com:8585/sso
- Create a sub realm: /employees
- Specify realm aliases: sso
- Specify DNS Aliases: sso.example.com
- Create OAuth service
- Create OAuth client with private_key_jwt as authentication method
- Create client JWT with aud URL: "http://sso.example.com:8585/sso/oauth2/access_token"
- Invoke Access token endpoint:
curl --request POST -H 'Content-Type=application/x-www-form-urlencoded' -d 'client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiIH0.eyAic3ViIjogImp3dC1iZWFyZXItY2xpZW50IiwgImF1ZCI6IFsgImh0dHA6Ly9zc28uZXhhbXBsZS5jb206ODU4NS9zc28vb2F1dGgyL2FjY2Vzc190b2tlbiIgXSwgImlzcyI6ICJqd3QtYmVhcmVyLWNsaWVudCIsICJleHAiOiAxNTIzNTUxMjMxIH0.dv90FbERBMX8wufkN631KrOb36i7fY5EBnRbqNtn-pv9EER-9KBVAzdA9BOm4OSqPh_IJl5TEXSUAhYLshLPBSf-tOqIrkT7ChB5F8_1hPOzL2Ov6KC5z13P1-mcbkeqcvXPxGgbGOHLkxVo3OdCD6fkiKavNpcn1BQOpKU22BFOFZZgv5DPsO_0I5t8qIQoClhzbkzKymY8uguhlW4i4z90_uqj23wrCZlJxYYuagQaPfbwI2Qtf2SzFZ9ti1ISIvz1kOfh185S2jo_gS3TDF3O7cLxvh_Dr-yfbGBCMqm1ZIHj2TUObpT8lQER245M1lflor6XkelZvhlbe2ZXEQ&grant_type=client_credentials&assertion=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiIH0.eyAic3ViIjogImp3dC1iZWFyZXItY2xpZW50IiwgImF1ZCI6IFsgImh0dHA6Ly9zc28uZXhhbXBsZS5jb206ODU4NS9zc28vb2F1dGgyL2FjY2Vzc190b2tlbiIgXSwgImlzcyI6ICJqd3QtYmVhcmVyLWNsaWVudCIsICJleHAiOiAxNTIzNTUxMjMxIH0.dv90FbERBMX8wufkN631KrOb36i7fY5EBnRbqNtn-pv9EER-9KBVAzdA9BOm4OSqPh_IJl5TEXSUAhYLshLPBSf-tOqIrkT7ChB5F8_1hPOzL2Ov6KC5z13P1-mcbkeqcvXPxGgbGOHLkxVo3OdCD6fkiKavNpcn1BQOpKU22BFOFZZgv5DPsO_0I5t8qIQoClhzbkzKymY8uguhlW4i4z90_uqj23wrCZlJxYYuagQaPfbwI2Qtf2SzFZ9ti1ISIvz1kOfh185S2jo_gS3TDF3O7cLxvh_Dr-yfbGBCMqm1ZIHj2TUObpT8lQER245M1lflor6XkelZvhlbe2ZXEQ&redirect_uri=http%3A%2F%2Fopenam551.example.com%3A8989%2Fsso&scope=mail%20openid' 'http://sso.example.com:8585/sso/oauth2/access_token'
Expected behaviour
Access token and ID token should be issued
Current behaviour
{"error_description":"Invalid JWT audience","error":"invalid_request"}
Work around
Don't use DNS alias
Code analysis
org.forgerock.openam.oauth2.jwt.$JwtClaimsValidationHandler.java#validateAudience()
getAcceptedAudiences() returns only these 3 options, all contain realm 0 = "http://sso.example.com:8585/sso/oauth2/employees" 1 = "http://sso.example.com:8585/sso/oauth2/realms/root/realms/employees/access_token" 2 = "http://sso.example.com:8585/sso/oauth2/realms/root/realms/employees"
- is related to
-
OPENAM-12886 Allow configurable audience for clients authenticating using JWT
-
- Resolved
-