Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12898

DNS alias results in audience validation failure for clients authenticating using JWT

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1
    • Fix Version/s: 6.5.0, 6.0.1, 5.5.2
    • Component/s: None
    • Labels:
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      Yes

      Description

      Bug description

      DNS alias results in audience validation failure for clients authenticating using JWT

      How to reproduce the issue

      1. Deployed AM as http://openam551.example.com:8585/sso 
      2. Create a sub realm: /employees
      3. Specify realm aliases: sso
      4. Specify DNS Aliases: sso.example.com
      5. Create OAuth service
      6. Create OAuth client with private_key_jwt as authentication method
      7. Create client JWT with aud URL: "http://sso.example.com:8585/sso/oauth2/access_token" 
      8. Invoke Access token endpoint:
        curl --request POST -H 'Content-Type=application/x-www-form-urlencoded' -d 'client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiIH0.eyAic3ViIjogImp3dC1iZWFyZXItY2xpZW50IiwgImF1ZCI6IFsgImh0dHA6Ly9zc28uZXhhbXBsZS5jb206ODU4NS9zc28vb2F1dGgyL2FjY2Vzc190b2tlbiIgXSwgImlzcyI6ICJqd3QtYmVhcmVyLWNsaWVudCIsICJleHAiOiAxNTIzNTUxMjMxIH0.dv90FbERBMX8wufkN631KrOb36i7fY5EBnRbqNtn-pv9EER-9KBVAzdA9BOm4OSqPh_IJl5TEXSUAhYLshLPBSf-tOqIrkT7ChB5F8_1hPOzL2Ov6KC5z13P1-mcbkeqcvXPxGgbGOHLkxVo3OdCD6fkiKavNpcn1BQOpKU22BFOFZZgv5DPsO_0I5t8qIQoClhzbkzKymY8uguhlW4i4z90_uqj23wrCZlJxYYuagQaPfbwI2Qtf2SzFZ9ti1ISIvz1kOfh185S2jo_gS3TDF3O7cLxvh_Dr-yfbGBCMqm1ZIHj2TUObpT8lQER245M1lflor6XkelZvhlbe2ZXEQ&grant_type=client_credentials&assertion=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiIH0.eyAic3ViIjogImp3dC1iZWFyZXItY2xpZW50IiwgImF1ZCI6IFsgImh0dHA6Ly9zc28uZXhhbXBsZS5jb206ODU4NS9zc28vb2F1dGgyL2FjY2Vzc190b2tlbiIgXSwgImlzcyI6ICJqd3QtYmVhcmVyLWNsaWVudCIsICJleHAiOiAxNTIzNTUxMjMxIH0.dv90FbERBMX8wufkN631KrOb36i7fY5EBnRbqNtn-pv9EER-9KBVAzdA9BOm4OSqPh_IJl5TEXSUAhYLshLPBSf-tOqIrkT7ChB5F8_1hPOzL2Ov6KC5z13P1-mcbkeqcvXPxGgbGOHLkxVo3OdCD6fkiKavNpcn1BQOpKU22BFOFZZgv5DPsO_0I5t8qIQoClhzbkzKymY8uguhlW4i4z90_uqj23wrCZlJxYYuagQaPfbwI2Qtf2SzFZ9ti1ISIvz1kOfh185S2jo_gS3TDF3O7cLxvh_Dr-yfbGBCMqm1ZIHj2TUObpT8lQER245M1lflor6XkelZvhlbe2ZXEQ&redirect_uri=http%3A%2F%2Fopenam551.example.com%3A8989%2Fsso&scope=mail%20openid' 'http://sso.example.com:8585/sso/oauth2/access_token'
        
        
      Expected behaviour
      Access token and ID token should be issued
      
      Current behaviour
      {"error_description":"Invalid JWT audience","error":"invalid_request"}
      

      Work around

      Don't use DNS alias 

      Code analysis

      org.forgerock.openam.oauth2.jwt.$JwtClaimsValidationHandler.java#validateAudience()
      getAcceptedAudiences() returns only these 3 options, all contain realm 
      
      0 = "http://sso.example.com:8585/sso/oauth2/employees"
      1 = "http://sso.example.com:8585/sso/oauth2/realms/root/realms/employees/access_token"
      2 = "http://sso.example.com:8585/sso/oauth2/realms/root/realms/employees"

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                michael.carter Michael Carter
                Reporter:
                charan.mann Charan Mann
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: