Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13114

WA 5 does not work if there is no datastore set up for the realm



    • Rank:
    • AM Sustaining Sprint 70, AM Sustaining Sprint 71
    • 3
    • Yes and I used the same an in the description
    • 0
    • Future
    • None


      Bug description

      AM set up with no data store; user profile set to ignored. Protect a resource with an agent 5.

      Set up LDAP decision node in a tree. User can authenticate, but can not access the resources because agent 5 can not receive ID Token. 

      How to reproduce the issue

      1. Install AM
      2. Delete data store embedded. There should be no data store for the top realm
      3. Set Authentication > settings > user profile > user profile field > Ignored
      4. Create a tree with a LDAP node decision
      5. Check that you can authenticate a user using ldapTree
      6. Set ldapTree as default authentication service for the realm
      7. Install agent to protect a resource; set as sso-only
      8. Access a resource
      9. User redirected to AM for authN
      10. Authenticate user
      Expected behaviour
      User gets access to the resource
      Current behaviour
      AM throws an invalid client error

      The reason seems to be that WA 5 is expecting an ID Token, but because the user does not have a profile, AM can not create the ID token. I'm wondering if this is a limitation with WA 5 or a bug.

      In the OAuth2 Provider log:


      OAuth2Provider:05/22/2018 04:30:02:996 AM EDT: Thread[http-nio-18080-exec-6,5,main]: TransactionId[4e3426a2-893e-46a0-828a-71ce252e5c90-568]
      ERROR: Unable to get client AMIdentity: 
      org.forgerock.oauth2.core.exceptions.OAuth2ProviderNotFoundException: No OpenID Connect provider for realm /
              at org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory.getRealmOAuth2ProviderSettings(OAuth2ProviderSettingsFactory.java:162)
              at org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory.get(OAuth2ProviderSettingsFactory.java:134)
              at org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory.get(OAuth2ProviderSettingsFactory.java:117)
              at org.forgerock.openam.oauth2.IdentityManager.getResourceOwnerIdentity(IdentityManager.java:125)
              at org.forgerock.openam.oauth2.IdentityManager.getResourceOwnerOrClientIdentity(IdentityManager.java:77)
              at org.forgerock.openam.oauth2.OpenAMScopeValidator.getUsersIdentity(OpenAMScopeValidator.java:266)
              at org.forgerock.openam.oauth2.OpenAMScopeValidator.getUserInfo(OpenAMScopeValidator.java:225)
              at org.forgerock.oauth2.core.AgentOAuth2ProviderSettings.getUserInfo(AgentOAuth2ProviderSettings.java:212)
              at org.forgerock.openam.oauth2.token.OpenIdConnectTokenStore.createOpenIDToken(OpenIdConnectTokenStore.java:163)
              at org.forgerock.openidconnect.IdTokenResponseTypeHandler.handle(IdTokenResponseTypeHandler.java:58)
              at org.forgerock.oauth2.core.AuthorizationTokenIssuer.issueTokens(AuthorizationTokenIssuer.java:117)
              at org.forgerock.oauth2.core.AuthorizationService.lambda$authorize$0(AuthorizationService.java:199)
              at org.forgerock.util.LambdaExceptionUtils.lambda$rethrowFunction$3(LambdaExceptionUtils.java:258)


        Issue Links



              kamal.sivanandam@forgerock.com Kamal Sivanandam
              nathalie.hoet Nathalie Hoet
              0 Vote for this issue
              8 Start watching this issue