Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13064

OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional

    Details

    • Sprint:
      AM Sustaining Sprint 54, AM Sustaining Sprint 55, AM Sustaining Sprint 56, AM Sustaining Sprint 57
    • Story Points:
      3
    • Support Ticket IDs:
    • Needs QA verification:
      No

      Description

      Bug description

      According to https://tools.ietf.org/html/rfc7522 :

      4. The Assertion MUST have an expiry that limits the time window
      during which it can be used. The expiry can be expressed either
      as the NotOnOrAfter attribute of the <Conditions> element or as
      the NotOnOrAfter attribute of a suitable
      <SubjectConfirmationData> element.

      5. The <Subject> element MUST contain at least one
      <SubjectConfirmation> element that has a Method attribute with a
      value of "urn:oasis:names:tc:SAML:2.0:cm:bearer". If the
      Assertion does not have a suitable NotOnOrAfter attribute on the
      <Conditions> element, the <SubjectConfirmation> element MUST
      contain a <SubjectConfirmationData> element. When present, the
      <SubjectConfirmationData> element MUST have a Recipient
      attribute with a value indicating the token endpoint URL of the
      authorization server (or an acceptable alias).

      How to reproduce the issue

      1. Configure a SAML Env (IDP, SP)
      2. Configure an OAuth2 Provider on the SP
      3. Obtain an Assertion by logging in with e.g SPSSOinit
      4. Exchange the encoded Assertion for an Access Token

      Following the above should give you an access token. The generated Assertion already has got:

      <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="http://idp.example.net:28080/openam" SPNameQualifier="http://sp.example.com:38080/openam">mVOp3Da9aTZJJZgwcwsDXo/uOktE</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData InResponseTo="s2a59a95d90c44f4f67e4ca9488ae79b427ec1da91" NotOnOrAfter="2018-05-08T11:33:04Z" Recipient="http://sp.example.com:38080/openam/Consumer/metaAlias/sp"/>
      </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotBefore="2018-05-08T10:58:04Z" NotOnOrAfter="2018-05-08T11:33:04Z">
      <saml:AudienceRestriction>
      <saml:Audience>http://sp.example.com:38080/openam</saml:Audience>
      </saml:AudienceRestriction>
      </saml:Conditions>

      The above is a valid assertion. If we remove the SubjectConfirmationData, the Assertion will no longer be valid.

      Expected behaviour
      Assertion should be valid as there is a NotOnOrAfter in the <Conditions> element
      
      Current behaviour
      Assertion is not valid or expired.
      

      Work around

      N/A

      Code analysis

      https://stash.forgerock.org/projects/OPENAM/repos/openam-sustaining/browse/openam-oauth2-saml2/src/main/java/org/forgerock/openam/oauth2/saml2/core/Saml2GrantTypeHandler.java#269

      "found" variable remains false if subjectConfirmationData is not found, therefore an error returns:

      found=false;
      
      ..
      
      if (subjectConfirmationData == null) {
      continue;
      
      ..
      
      if (!found) {
      logger.error("Saml2GrantTypeHandler.isValidAssertion(): The assertion is either expired or had no "
      + "expiration info");
      throw new InvalidGrantException("Assertion either expired or had no expiration information");
      }

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                anastasios.kampas Tasos Kampas
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: