Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12955

Resource Owner Password Credentials Grant does not work with trees

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 14.1.1.1, 14.1.1.2, 14.1.1.3, 6.0.0, 14.1.1.4, 14.1.1.5, 14.1.2.2, 14.1.2.3, 14.1.2.4
    • Fix Version/s: 6.5.1, 7.0.0
    • Component/s: oauth2, trees
    • Sprint:
      AM Sustaining Sprint 56, AM Sustaining Sprint 57
    • Support Ticket IDs:

      Description

      Bug description

      Resource Owner Password Credentials Grant fails with Internal Server Error (500) if the default authN service for the realm is a tree.

      How to reproduce the issue

      1. Install AM as an OAuth2 provider
      2. Create a oauth2 client profile with scope mail
      3. Change authn method for the client (Edit client > Advanced tab > Token Endpoint Authentication Method > select client_secret_post)
      4. Set the AuthN configuration to Example (Authentication > settings > Organization Authentication Configuration) 
      5. In a terminal window run the command:
      curl --request POST --data 'grant_type=password&client_id=clientid&client_secret=clientpassword&username=demo&password=changeit&scope=mail' 'http://openam.example.com:18080/openam/oauth2/access_token'
      Expected behaviour
      {"access_token":"Jv2T42zNfbwopUvSvs5UiLBDaBk","scope":"mail","token_type":"Bearer","expires_in":3599}
      Current behaviour
      {"error_description":"Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request","error":"server_error"}
      

      Further comments

      • If you change the default authN config back to ldapService, it works.
      • Worth pointing out OPENAM-4177 where a auth_chain parameter was added to force the ldapService chain in case the default for the realm was a chain incompatible with the grant; would need to add similar parameter for trees.

      Workaround.

      Currently there is no way of using trees and chains must be used
      If you want to avoid using the Organization Authentication Configuration settings,  if they are using trees, then you can use auth_chain parameter directly.

      curl -k --request POST --user testid:password --data "grant_type=password&username=user.10617&password=password&scope=cn&auth_chain=ldapService" http://openam13.example.com:8080/openam6/oauth2/access_token

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jamesphillpotts James Phillpotts
                Reporter:
                nathalie.hoet Nathalie Hoet
              • Votes:
                2 Vote for this issue
                Watchers:
                19 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: