Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12955

Resource Owner Password Credentials Grant does not work with trees



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1,,,, 6.0.0,,,,,
    • 6.5.1, 7.0.0
    • oauth2, trees
    • AM Sustaining Sprint 56, AM Sustaining Sprint 57


      Bug description

      Resource Owner Password Credentials Grant fails with Internal Server Error (500) if the default authN service for the realm is a tree.

      How to reproduce the issue

      1. Install AM as an OAuth2 provider
      2. Create a oauth2 client profile with scope mail
      3. Change authn method for the client (Edit client > Advanced tab > Token Endpoint Authentication Method > select client_secret_post)
      4. Set the AuthN configuration to Example (Authentication > settings > Organization Authentication Configuration) 
      5. In a terminal window run the command:
      curl --request POST --data 'grant_type=password&client_id=clientid&client_secret=clientpassword&username=demo&password=changeit&scope=mail' 'http://openam.example.com:18080/openam/oauth2/access_token'
      Expected behaviour
      Current behaviour
      {"error_description":"Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request","error":"server_error"}

      Further comments

      • If you change the default authN config back to ldapService, it works.
      • Worth pointing out OPENAM-4177 where a auth_chain parameter was added to force the ldapService chain in case the default for the realm was a chain incompatible with the grant; would need to add similar parameter for trees.


      Currently there is no way of using trees and chains must be used
      If you want to avoid using the Organization Authentication Configuration settings,  if they are using trees, then you can use auth_chain parameter directly.

      curl -k --request POST --user testid:password --data "grant_type=password&username=user.10617&password=password&scope=cn&auth_chain=ldapService" http://openam13.example.com:8080/openam6/oauth2/access_token




          Issue Links



              jamesphillpotts James Phillpotts
              nathalie.hoet Nathalie Hoet
              2 Vote for this issue
              19 Start watching this issue