Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13104

Introspection of access token fails when the wrong case of realm is used in the FIRST request

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.0.0.7
    • Fix Version/s: 6.0.1, 5.5.2
    • Component/s: None
    • Labels:
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 52, AM Sustaining Sprint 53
    • Story Points:
      2
    • Support Ticket IDs:
    • Needs QA verification:
      Yes

      Description

      Bug description

      Introspection of access token fails when the wrong case of realm is used in the first request

      How to reproduce the issue

      #1. Setup two openAMs , AM1 and AM2 ( embedded with replication )

      #2. Create a DEMO realm in uppercase

      #3. Create an oauth agent in the DEMO realm

      ssoadm create-agent -u amadmin -f ~/pass.txt -t OAuth2Client -e /DEMO -b myClientID -a userpassword=password com.forgerock.openam.oauth2provider.scopes[0]=profile com.forgerock.openam.oauth2provider.scopes[1]=openid com.forgerock.openam.oauth2provider.redirectionURIs[0]=$myopenam:8080/openid/cb-basic.html com.forgerock.openam.oauth2provider.redirectionURIs[1]=$myopenam:8080/openid/cb-implicit.html

      #4. Run the following script.

      It will create an access token in AM1 and introspect in AM2.

      Notice that the "first" introspect request is in the lower case for "demo" realm

      openam=http://lb.internal.example.com:7443
      openam1=http://openam.internal.example.com:8080
      openam2=http://openam.internal.example.com:18080
      
      result=`curl -s -k --user "myClientID:password" --request POST --data "grant_type=password&username=demo&password=changeit&scope=profile+openid" $openam1/openam/oauth2/realms/root/realms/DEMO/access_token`
      
      echo result is
      echo $result | python -m json.tool
      echo ""
      echo ""
      accesstoken=`echo $result | python -m json.tool | grep access_token | cut -f4 -d'"'`
      
      echo accesstoken is $accesstoken
      
      echo "here"
      echo ""
      curl -s -k --request POST --user "myClientID:password" $openam2/openam/oauth2/realms/root/realms/demo/introspect?token=$accesstoken | python -m json.tool
      curl -s -k --request POST --user "myClientID:password" $openam2/openam/oauth2/realms/root/realms/DEMO/introspect?token=$accesstoken | python -m json.tool

      All subsequent introspect requests will fails in AM2 until you restart the server, AM2

       Expected behaviour

      the introspect request to work properly. 
      Current behaviour
      {
      "active": false
      }
      {
      "active": false
      }
      

      Work around

      Ensure that the introspect request matches the case sensitivity of the realm.

      A single server test alternative is

      1. Access URL as /DEMO and get the access token
      2. Stop the AM
      3. Start AM and access introspect using /demo URL with the previous access token in #1.

      NOTE: But see also OPENAM-15970

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                sam.phua Sam Phua
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: