-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.5.0, 14.1.1, 5.5.1, 6.0.0
-
Component/s: oauth2
-
Labels:
Bug description
Using the authorisation code flow (others probably affected as well) and accessing the /access_token endpoint to retrieve the access token, AM issues search requests against the configured user datastore for the OAuth client.
For example, in my environment I have an OAuth client called "myClient" and when accessing the access_token endpoint, the Directory Server access logs show the following searches (AM 13.5):
[10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=7 msgID=8 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=myClient)(objectclass=inetorgperson))" attrs="authorityRevocationList,oathDeviceProfiles,sunIdentityServerPPCommonNamePT,iplanet-am-user-password-reset-question-answer,mail,iplanet-am-user-alias-list,iplanet-am-auth-configuration,telephoneNumber,dn,iplanet-am-user-password-reset-options,sunIdentityServerPPDemographicsDisplayLanguage,objectClass,userPassword,sunIdentityServerPPInformalName,sunIdentityServerPPLegalIdentityDOB,sunIdentityServerPPEmergencyContact,sunIdentityServerPPEmploymentIdentityAltO,givenName,sunIdentityServerPPFacadeWebSite,pushDeviceProfiles,createTimestamp,iplanet-am-session-add-session-listener-on-all-sessions,iplanet-am-session-quota-limit,sunIdentityServerPPLegalIdentityVATIdValue,iplanet-am-user-auth-config,adminRole,sun-fm-saml2-nameid-infokey,iplanet-am-user-password-reset-force-reset,sunIdentityServerPPCommonNameMN,caCertificate,sunAMAuthInvalidAttemptsData,iplanet-am-user-federation-info-key,sunIdentityServerPPLegalIdentityAltIdValue,sunIdentityServerPPSignKey,devicePrintProfiles,iplanet-am-session-get-valid-sessions,postalAddress,sunIdentityServerPPFacadeMugShot,sunIdentityServerPPDemographicsTimeZone,sunIdentityServerPPDemographicsBirthDay,iplanet-am-user-account-life,preferredtimezone,iplanet-am-user-admin-start-dn,sunIdentityServerPPMsgContact,preferredlanguage,sunIdentityServerPPLegalIdentityMaritalStatus,sunIdentityMSISDNNumber,memberOf,sun-fm-saml2-nameid-info,sunIdentityServerPPDemographicsLanguage,iplanet-am-session-service-status,sunIdentityServerPPLegalIdentityAltIdType,sunIdentityServerPPEmploymentIdentityJobTitle,employeeNumber,iplanet-am-session-max-idle-time,iplanet-am-session-destroy-sessions,sunIdentityServerPPLegalIdentityGender,sunIdentityServerPPCommonNameAltCN,sunIdentityServerPPCommonNameFN,oath2faEnabled,uid,sunIdentityServerPPFacadegreetmesound,iplanet-am-user-success-url,iplanet-am-user-auth-modules,sunIdentityServerPPCommonNameSN,sunIdentityServerPPEncryPTKey,sn,sunIdentityServerPPLegalIdentityVATIdType,modifyTimestamp,sunIdentityServerPPEmploymentIdentityOrg,sunIdentityServerPPDemographicsAge,sunIdentityServerPPFacadeNamePronounced,sunIdentityServerPPFacadeGreetSound,preferredLocale,iplanet-am-user-federation-info,manager,inetUserStatus,kbaInfo,iplanet-am-session-max-session-time,assignedDashboard,sunIdentityServerPPCommonNameCN,kbaActiveIndex,cn,sunIdentityServerPPLegalIdentityLegalName,sunIdentityServerDiscoEntries,iplanet-am-user-login-status,userCertificate,distinguishedName,sunIdentityServerPPAddressCard,inetUserHttpURL,iplanet-am-user-failure-url,iplanet-am-session-max-caching-time" [10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=7 msgID=8 result=0 nentries=0 etime=1 [10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=8 msgID=9 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=myClient)(objectclass=inetorgperson))" attrs="uid" [10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=8 msgID=9 result=0 nentries=0 etime=0 [10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=9 msgID=10 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=myClient)(objectclass=inetorgperson))" attrs="authorityRevocationList,oathDeviceProfiles,sunIdentityServerPPCommonNamePT,iplanet-am-user-password-reset-question-answer,mail,iplanet-am-user-alias-list,iplanet-am-auth-configuration,telephoneNumber,dn,iplanet-am-user-password-reset-options,sunIdentityServerPPDemographicsDisplayLanguage,objectClass,userPassword,sunIdentityServerPPInformalName,sunIdentityServerPPLegalIdentityDOB,sunIdentityServerPPEmergencyContact,sunIdentityServerPPEmploymentIdentityAltO,givenName,sunIdentityServerPPFacadeWebSite,pushDeviceProfiles,createTimestamp,iplanet-am-session-add-session-listener-on-all-sessions,iplanet-am-session-quota-limit,sunIdentityServerPPLegalIdentityVATIdValue,iplanet-am-user-auth-config,adminRole,sun-fm-saml2-nameid-infokey,iplanet-am-user-password-reset-force-reset,sunIdentityServerPPCommonNameMN,caCertificate,sunAMAuthInvalidAttemptsData,iplanet-am-user-federation-info-key,sunIdentityServerPPLegalIdentityAltIdValue,sunIdentityServerPPSignKey,devicePrintProfiles,iplanet-am-session-get-valid-sessions,postalAddress,sunIdentityServerPPFacadeMugShot,sunIdentityServerPPDemographicsTimeZone,sunIdentityServerPPDemographicsBirthDay,iplanet-am-user-account-life,preferredtimezone,iplanet-am-user-admin-start-dn,sunIdentityServerPPMsgContact,preferredlanguage,sunIdentityServerPPLegalIdentityMaritalStatus,sunIdentityMSISDNNumber,memberOf,sun-fm-saml2-nameid-info,sunIdentityServerPPDemographicsLanguage,iplanet-am-session-service-status,sunIdentityServerPPLegalIdentityAltIdType,sunIdentityServerPPEmploymentIdentityJobTitle,employeeNumber,iplanet-am-session-max-idle-time,iplanet-am-session-destroy-sessions,sunIdentityServerPPLegalIdentityGender,sunIdentityServerPPCommonNameAltCN,sunIdentityServerPPCommonNameFN,oath2faEnabled,uid,sunIdentityServerPPFacadegreetmesound,iplanet-am-user-success-url,iplanet-am-user-auth-modules,sunIdentityServerPPCommonNameSN,sunIdentityServerPPEncryPTKey,sn,sunIdentityServerPPLegalIdentityVATIdType,modifyTimestamp,sunIdentityServerPPEmploymentIdentityOrg,sunIdentityServerPPDemographicsAge,sunIdentityServerPPFacadeNamePronounced,sunIdentityServerPPFacadeGreetSound,preferredLocale,iplanet-am-user-federation-info,manager,inetUserStatus,kbaInfo,iplanet-am-session-max-session-time,assignedDashboard,sunIdentityServerPPCommonNameCN,kbaActiveIndex,cn,sunIdentityServerPPLegalIdentityLegalName,sunIdentityServerDiscoEntries,iplanet-am-user-login-status,userCertificate,distinguishedName,sunIdentityServerPPAddressCard,inetUserHttpURL,iplanet-am-user-failure-url,iplanet-am-session-max-caching-time" [10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=9 msgID=10 result=0 nentries=0 etime=0 [10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=10 msgID=11 base="ou=people,dc=example,dc=com" scope=sub filter="(&(|(uid=myClient))(&(uid=*)(objectclass=inetorgperson)))" attrs="authorityRevocationList,oathDeviceProfiles,sunIdentityServerPPCommonNamePT,iplanet-am-user-password-reset-question-answer,mail,iplanet-am-user-alias-list,iplanet-am-auth-configuration,telephoneNumber,dn,iplanet-am-user-password-reset-options,sunIdentityServerPPDemographicsDisplayLanguage,objectClass,userPassword,sunIdentityServerPPInformalName,sunIdentityServerPPLegalIdentityDOB,sunIdentityServerPPEmergencyContact,sunIdentityServerPPEmploymentIdentityAltO,givenName,sunIdentityServerPPFacadeWebSite,pushDeviceProfiles,createTimestamp,iplanet-am-session-add-session-listener-on-all-sessions,iplanet-am-session-quota-limit,sunIdentityServerPPLegalIdentityVATIdValue,iplanet-am-user-auth-config,adminRole,sun-fm-saml2-nameid-infokey,iplanet-am-user-password-reset-force-reset,sunIdentityServerPPCommonNameMN,caCertificate,sunAMAuthInvalidAttemptsData,iplanet-am-user-federation-info-key,sunIdentityServerPPLegalIdentityAltIdValue,sunIdentityServerPPSignKey,devicePrintProfiles,iplanet-am-session-get-valid-sessions,postalAddress,sunIdentityServerPPFacadeMugShot,sunIdentityServerPPDemographicsTimeZone,sunIdentityServerPPDemographicsBirthDay,iplanet-am-user-account-life,preferredtimezone,iplanet-am-user-admin-start-dn,sunIdentityServerPPMsgContact,preferredlanguage,sunIdentityServerPPLegalIdentityMaritalStatus,sunIdentityMSISDNNumber,memberOf,sun-fm-saml2-nameid-info,sunIdentityServerPPDemographicsLanguage,iplanet-am-session-service-status,sunIdentityServerPPLegalIdentityAltIdType,sunIdentityServerPPEmploymentIdentityJobTitle,employeeNumber,iplanet-am-session-max-idle-time,iplanet-am-session-destroy-sessions,sunIdentityServerPPLegalIdentityGender,sunIdentityServerPPCommonNameAltCN,sunIdentityServerPPCommonNameFN,oath2faEnabled,uid,sunIdentityServerPPFacadegreetmesound,iplanet-am-user-success-url,iplanet-am-user-auth-modules,sunIdentityServerPPCommonNameSN,sunIdentityServerPPEncryPTKey,sn,sunIdentityServerPPLegalIdentityVATIdType,modifyTimestamp,sunIdentityServerPPEmploymentIdentityOrg,sunIdentityServerPPDemographicsAge,sunIdentityServerPPFacadeNamePronounced,sunIdentityServerPPFacadeGreetSound,preferredLocale,iplanet-am-user-federation-info,manager,inetUserStatus,kbaInfo,iplanet-am-session-max-session-time,assignedDashboard,sunIdentityServerPPCommonNameCN,kbaActiveIndex,cn,sunIdentityServerPPLegalIdentityLegalName,sunIdentityServerDiscoEntries,iplanet-am-user-login-status,userCertificate,distinguishedName,sunIdentityServerPPAddressCard,inetUserHttpURL,iplanet-am-user-failure-url,iplanet-am-session-max-caching-time" [10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=10 msgID=11 result=0 nentries=0 etime=0 [10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=11 msgID=12 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=myClient)(objectclass=inetorgperson))" attrs="uid" [10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=11 msgID=12 result=0 nentries=0 etime=0 [10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=12 msgID=13 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=myClient)(objectclass=inetorgperson))" attrs="uid" [10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=12 msgID=13 result=0 nentries=0 etime=0
When using Active Directory as a datastore, the LDAP search can take an excessive amount of time to return, causing the access_token endpoint response time to be quite large.
Extract of AD log:
Internal event: A client issued a search operation with the following options. Client: 172.31.34.216:58158 Starting node: dc=example,dc=com Filter: ( & ( | (uid=myClient) ) ( & (cn=*) (objectClass=person) ) ) Search scope: subtree Attribute selection: mail,telephoneNumber,objectClass,userPassword,givenName,createTimeStamp,userAccountControl,postalAddress,userPrincipalName,unicodePwd,name,preferredLanguage,employeeNumber,objectGUID,sn,modifyTimeStamp,cn,sAMAccountName,displayName,distinguishedName Server controls: Visited entries: 15007 Returned entries: 0 Used indexes: idx_objectClass:11367:N; Pages referenced: 75538 Pages read from disk: 997 Pages preread from disk: 249 Clean pages modified: 87 Dirty pages modified: 72 Search time (ms): 578 Attributes Preventing Optimization: none User: CN=ambind,CN=Users,dc=example,dc=com
How to reproduce the issue
- Configure simple OAuth provider and client...there is nothing special about them
- Use either embedded or external user store
- Using Postman or similar, Authenticate and authorise
- retrieve the access token from the access_token endpoint
- View the DS access log for the user store and filter for OAuth client name.
Expected behaviour
AM shouldn't attempt to retrieve the OAuth client from the configured user data store.
Current behaviour
LDAP searches for the OAuth client are executed against the configured user data store.