Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13064

OAuth2 - SAML v.2.0 Bearer Assertion Grant - SubjectConfirmationData element should be optional


    • Sprint:
      AM Sustaining Sprint 54, AM Sustaining Sprint 55, AM Sustaining Sprint 56, AM Sustaining Sprint 57
    • Story Points:
    • Support Ticket IDs:
    • Needs QA verification:


      Bug description

      According to https://tools.ietf.org/html/rfc7522 :

      4. The Assertion MUST have an expiry that limits the time window
      during which it can be used. The expiry can be expressed either
      as the NotOnOrAfter attribute of the <Conditions> element or as
      the NotOnOrAfter attribute of a suitable
      <SubjectConfirmationData> element.

      5. The <Subject> element MUST contain at least one
      <SubjectConfirmation> element that has a Method attribute with a
      value of "urn:oasis:names:tc:SAML:2.0:cm:bearer". If the
      Assertion does not have a suitable NotOnOrAfter attribute on the
      <Conditions> element, the <SubjectConfirmation> element MUST
      contain a <SubjectConfirmationData> element. When present, the
      <SubjectConfirmationData> element MUST have a Recipient
      attribute with a value indicating the token endpoint URL of the
      authorization server (or an acceptable alias).

      How to reproduce the issue

      1. Configure a SAML Env (IDP, SP)
      2. Configure an OAuth2 Provider on the SP
      3. Obtain an Assertion by logging in with e.g SPSSOinit
      4. Exchange the encoded Assertion for an Access Token

      Following the above should give you an access token. The generated Assertion already has got:

      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="http://idp.example.net:28080/openam" SPNameQualifier="http://sp.example.com:38080/openam">mVOp3Da9aTZJJZgwcwsDXo/uOktE</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData InResponseTo="s2a59a95d90c44f4f67e4ca9488ae79b427ec1da91" NotOnOrAfter="2018-05-08T11:33:04Z" Recipient="http://sp.example.com:38080/openam/Consumer/metaAlias/sp"/>
      <saml:Conditions NotBefore="2018-05-08T10:58:04Z" NotOnOrAfter="2018-05-08T11:33:04Z">

      The above is a valid assertion. If we remove the SubjectConfirmationData, the Assertion will no longer be valid.

      Expected behaviour
      Assertion should be valid as there is a NotOnOrAfter in the <Conditions> element
      Current behaviour
      Assertion is not valid or expired.

      Work around


      Code analysis


      "found" variable remains false if subjectConfirmationData is not found, therefore an error returns:

      if (subjectConfirmationData == null) {
      if (!found) {
      logger.error("Saml2GrantTypeHandler.isValidAssertion(): The assertion is either expired or had no "
      + "expiration info");
      throw new InvalidGrantException("Assertion either expired or had no expiration information");



          Issue Links



              • Assignee:
                sachiko Sachiko Wallace
                anastasios.kampas Tasos Kampas
              • Votes:
                0 Vote for this issue
                5 Start watching this issue


                • Created: