Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12984

Access Token Endpoint issues search request against datastore for OAuth Client

    XMLWordPrintable

    Details

    • AM Sustaining Sprint 52, AM Sustaining Sprint 53
    • 3
    • Yes

      Description

      Bug description

      Using the authorisation code flow (others probably affected as well) and accessing the /access_token endpoint to retrieve the access token, AM issues search requests against the configured user datastore for the OAuth client.

      For example, in my environment I have an OAuth client called "myClient" and when accessing the access_token endpoint, the Directory Server access logs show the following searches (AM 13.5):

      [10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=7 msgID=8 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=myClient)(objectclass=inetorgperson))" attrs="authorityRevocationList,oathDeviceProfiles,sunIdentityServerPPCommonNamePT,iplanet-am-user-password-reset-question-answer,mail,iplanet-am-user-alias-list,iplanet-am-auth-configuration,telephoneNumber,dn,iplanet-am-user-password-reset-options,sunIdentityServerPPDemographicsDisplayLanguage,objectClass,userPassword,sunIdentityServerPPInformalName,sunIdentityServerPPLegalIdentityDOB,sunIdentityServerPPEmergencyContact,sunIdentityServerPPEmploymentIdentityAltO,givenName,sunIdentityServerPPFacadeWebSite,pushDeviceProfiles,createTimestamp,iplanet-am-session-add-session-listener-on-all-sessions,iplanet-am-session-quota-limit,sunIdentityServerPPLegalIdentityVATIdValue,iplanet-am-user-auth-config,adminRole,sun-fm-saml2-nameid-infokey,iplanet-am-user-password-reset-force-reset,sunIdentityServerPPCommonNameMN,caCertificate,sunAMAuthInvalidAttemptsData,iplanet-am-user-federation-info-key,sunIdentityServerPPLegalIdentityAltIdValue,sunIdentityServerPPSignKey,devicePrintProfiles,iplanet-am-session-get-valid-sessions,postalAddress,sunIdentityServerPPFacadeMugShot,sunIdentityServerPPDemographicsTimeZone,sunIdentityServerPPDemographicsBirthDay,iplanet-am-user-account-life,preferredtimezone,iplanet-am-user-admin-start-dn,sunIdentityServerPPMsgContact,preferredlanguage,sunIdentityServerPPLegalIdentityMaritalStatus,sunIdentityMSISDNNumber,memberOf,sun-fm-saml2-nameid-info,sunIdentityServerPPDemographicsLanguage,iplanet-am-session-service-status,sunIdentityServerPPLegalIdentityAltIdType,sunIdentityServerPPEmploymentIdentityJobTitle,employeeNumber,iplanet-am-session-max-idle-time,iplanet-am-session-destroy-sessions,sunIdentityServerPPLegalIdentityGender,sunIdentityServerPPCommonNameAltCN,sunIdentityServerPPCommonNameFN,oath2faEnabled,uid,sunIdentityServerPPFacadegreetmesound,iplanet-am-user-success-url,iplanet-am-user-auth-modules,sunIdentityServerPPCommonNameSN,sunIdentityServerPPEncryPTKey,sn,sunIdentityServerPPLegalIdentityVATIdType,modifyTimestamp,sunIdentityServerPPEmploymentIdentityOrg,sunIdentityServerPPDemographicsAge,sunIdentityServerPPFacadeNamePronounced,sunIdentityServerPPFacadeGreetSound,preferredLocale,iplanet-am-user-federation-info,manager,inetUserStatus,kbaInfo,iplanet-am-session-max-session-time,assignedDashboard,sunIdentityServerPPCommonNameCN,kbaActiveIndex,cn,sunIdentityServerPPLegalIdentityLegalName,sunIdentityServerDiscoEntries,iplanet-am-user-login-status,userCertificate,distinguishedName,sunIdentityServerPPAddressCard,inetUserHttpURL,iplanet-am-user-failure-url,iplanet-am-session-max-caching-time"
[10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=7 msgID=8 result=0 nentries=0 etime=1
[10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=8 msgID=9 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=myClient)(objectclass=inetorgperson))" attrs="uid"
[10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=8 msgID=9 result=0 nentries=0 etime=0
[10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=9 msgID=10 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=myClient)(objectclass=inetorgperson))" attrs="authorityRevocationList,oathDeviceProfiles,sunIdentityServerPPCommonNamePT,iplanet-am-user-password-reset-question-answer,mail,iplanet-am-user-alias-list,iplanet-am-auth-configuration,telephoneNumber,dn,iplanet-am-user-password-reset-options,sunIdentityServerPPDemographicsDisplayLanguage,objectClass,userPassword,sunIdentityServerPPInformalName,sunIdentityServerPPLegalIdentityDOB,sunIdentityServerPPEmergencyContact,sunIdentityServerPPEmploymentIdentityAltO,givenName,sunIdentityServerPPFacadeWebSite,pushDeviceProfiles,createTimestamp,iplanet-am-session-add-session-listener-on-all-sessions,iplanet-am-session-quota-limit,sunIdentityServerPPLegalIdentityVATIdValue,iplanet-am-user-auth-config,adminRole,sun-fm-saml2-nameid-infokey,iplanet-am-user-password-reset-force-reset,sunIdentityServerPPCommonNameMN,caCertificate,sunAMAuthInvalidAttemptsData,iplanet-am-user-federation-info-key,sunIdentityServerPPLegalIdentityAltIdValue,sunIdentityServerPPSignKey,devicePrintProfiles,iplanet-am-session-get-valid-sessions,postalAddress,sunIdentityServerPPFacadeMugShot,sunIdentityServerPPDemographicsTimeZone,sunIdentityServerPPDemographicsBirthDay,iplanet-am-user-account-life,preferredtimezone,iplanet-am-user-admin-start-dn,sunIdentityServerPPMsgContact,preferredlanguage,sunIdentityServerPPLegalIdentityMaritalStatus,sunIdentityMSISDNNumber,memberOf,sun-fm-saml2-nameid-info,sunIdentityServerPPDemographicsLanguage,iplanet-am-session-service-status,sunIdentityServerPPLegalIdentityAltIdType,sunIdentityServerPPEmploymentIdentityJobTitle,employeeNumber,iplanet-am-session-max-idle-time,iplanet-am-session-destroy-sessions,sunIdentityServerPPLegalIdentityGender,sunIdentityServerPPCommonNameAltCN,sunIdentityServerPPCommonNameFN,oath2faEnabled,uid,sunIdentityServerPPFacadegreetmesound,iplanet-am-user-success-url,iplanet-am-user-auth-modules,sunIdentityServerPPCommonNameSN,sunIdentityServerPPEncryPTKey,sn,sunIdentityServerPPLegalIdentityVATIdType,modifyTimestamp,sunIdentityServerPPEmploymentIdentityOrg,sunIdentityServerPPDemographicsAge,sunIdentityServerPPFacadeNamePronounced,sunIdentityServerPPFacadeGreetSound,preferredLocale,iplanet-am-user-federation-info,manager,inetUserStatus,kbaInfo,iplanet-am-session-max-session-time,assignedDashboard,sunIdentityServerPPCommonNameCN,kbaActiveIndex,cn,sunIdentityServerPPLegalIdentityLegalName,sunIdentityServerDiscoEntries,iplanet-am-user-login-status,userCertificate,distinguishedName,sunIdentityServerPPAddressCard,inetUserHttpURL,iplanet-am-user-failure-url,iplanet-am-session-max-caching-time"
[10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=9 msgID=10 result=0 nentries=0 etime=0
[10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=10 msgID=11 base="ou=people,dc=example,dc=com" scope=sub filter="(&(|(uid=myClient))(&(uid=*)(objectclass=inetorgperson)))" attrs="authorityRevocationList,oathDeviceProfiles,sunIdentityServerPPCommonNamePT,iplanet-am-user-password-reset-question-answer,mail,iplanet-am-user-alias-list,iplanet-am-auth-configuration,telephoneNumber,dn,iplanet-am-user-password-reset-options,sunIdentityServerPPDemographicsDisplayLanguage,objectClass,userPassword,sunIdentityServerPPInformalName,sunIdentityServerPPLegalIdentityDOB,sunIdentityServerPPEmergencyContact,sunIdentityServerPPEmploymentIdentityAltO,givenName,sunIdentityServerPPFacadeWebSite,pushDeviceProfiles,createTimestamp,iplanet-am-session-add-session-listener-on-all-sessions,iplanet-am-session-quota-limit,sunIdentityServerPPLegalIdentityVATIdValue,iplanet-am-user-auth-config,adminRole,sun-fm-saml2-nameid-infokey,iplanet-am-user-password-reset-force-reset,sunIdentityServerPPCommonNameMN,caCertificate,sunAMAuthInvalidAttemptsData,iplanet-am-user-federation-info-key,sunIdentityServerPPLegalIdentityAltIdValue,sunIdentityServerPPSignKey,devicePrintProfiles,iplanet-am-session-get-valid-sessions,postalAddress,sunIdentityServerPPFacadeMugShot,sunIdentityServerPPDemographicsTimeZone,sunIdentityServerPPDemographicsBirthDay,iplanet-am-user-account-life,preferredtimezone,iplanet-am-user-admin-start-dn,sunIdentityServerPPMsgContact,preferredlanguage,sunIdentityServerPPLegalIdentityMaritalStatus,sunIdentityMSISDNNumber,memberOf,sun-fm-saml2-nameid-info,sunIdentityServerPPDemographicsLanguage,iplanet-am-session-service-status,sunIdentityServerPPLegalIdentityAltIdType,sunIdentityServerPPEmploymentIdentityJobTitle,employeeNumber,iplanet-am-session-max-idle-time,iplanet-am-session-destroy-sessions,sunIdentityServerPPLegalIdentityGender,sunIdentityServerPPCommonNameAltCN,sunIdentityServerPPCommonNameFN,oath2faEnabled,uid,sunIdentityServerPPFacadegreetmesound,iplanet-am-user-success-url,iplanet-am-user-auth-modules,sunIdentityServerPPCommonNameSN,sunIdentityServerPPEncryPTKey,sn,sunIdentityServerPPLegalIdentityVATIdType,modifyTimestamp,sunIdentityServerPPEmploymentIdentityOrg,sunIdentityServerPPDemographicsAge,sunIdentityServerPPFacadeNamePronounced,sunIdentityServerPPFacadeGreetSound,preferredLocale,iplanet-am-user-federation-info,manager,inetUserStatus,kbaInfo,iplanet-am-session-max-session-time,assignedDashboard,sunIdentityServerPPCommonNameCN,kbaActiveIndex,cn,sunIdentityServerPPLegalIdentityLegalName,sunIdentityServerDiscoEntries,iplanet-am-user-login-status,userCertificate,distinguishedName,sunIdentityServerPPAddressCard,inetUserHttpURL,iplanet-am-user-failure-url,iplanet-am-session-max-caching-time"
[10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=10 msgID=11 result=0 nentries=0 etime=0
[10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=11 msgID=12 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=myClient)(objectclass=inetorgperson))" attrs="uid"
[10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=11 msgID=12 result=0 nentries=0 etime=0
[10/Mar/2018:08:04:33 +0100] SEARCH REQ conn=148 op=12 msgID=13 base="ou=people,dc=example,dc=com" scope=sub filter="(&(uid=myClient)(objectclass=inetorgperson))" attrs="uid"
[10/Mar/2018:08:04:33 +0100] SEARCH RES conn=148 op=12 msgID=13 result=0 nentries=0 etime=0

      When using Active Directory as a datastore, the LDAP search can take an excessive amount of time to return, causing the access_token endpoint response time to be quite large.

      Extract of AD log:

      Internal event: A client issued a search operation with the following options. 

Client:
172.31.34.216:58158 
Starting node:
dc=example,dc=com 
Filter:
( & ( | (uid=myClient) ) ( & (cn=*) (objectClass=person) ) ) 
Search scope:
subtree 
Attribute selection:
mail,telephoneNumber,objectClass,userPassword,givenName,createTimeStamp,userAccountControl,postalAddress,userPrincipalName,unicodePwd,name,preferredLanguage,employeeNumber,objectGUID,sn,modifyTimeStamp,cn,sAMAccountName,displayName,distinguishedName 
Server controls:

Visited entries:
15007 
Returned entries:
0 
Used indexes:
idx_objectClass:11367:N; 
Pages referenced:
75538 
Pages read from disk:
997 
Pages preread from disk:
249 
Clean pages modified:
87 
Dirty pages modified:
72 
Search time (ms):
578 
Attributes Preventing Optimization:
none 
User:
CN=ambind,CN=Users,dc=example,dc=com

      How to reproduce the issue

      1. Configure simple OAuth provider and client...there is nothing special about them
      2. Use either embedded or external user store
      3. Using Postman or similar, Authenticate and authorise 
      4. retrieve the access token from the access_token endpoint
      5. View the DS access log for the user store and filter for OAuth client name.
      Expected behaviour
      AM shouldn't attempt to retrieve the OAuth client from the configured user data store.
      Current behaviour
      LDAP searches for the OAuth client are executed against the configured user data store.

       

        Attachments

          Activity

            People

            lawrence.yarham Lawrence Yarham
            bradley.tarisznyas Brad Tarisznyas
            Votes:
            1 Vote for this issue
            Watchers:
            14 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: