Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13138

500 internal server error if user does not have a session when providing user code in OAuth2 device flow

    XMLWordPrintable

    Details

      Description

      Description

      In the OAuth2 device flow, the end user must provide a code to the ..../oauth2/device/user endpoint. If the user is not authenticated, AM throws an internal server error 500.

      Reproduction steps

      1. Configure AM as AS or OIDC provider: Dashboard > Configure OAuth Provider > Configure OpenID Connect
      2. Register an OAuth2 client called oauthclient with scope mail
      3. Start the device code grant with the curl command:
        curl --request POST --data 'client_id=oauthclient&scope=mail&response_type=token' http://am.example.com:18080/am/oauth2/device/code
        
      4. The response will look like:
        {
            "user_code": "iL3ARfmQ",
            "device_code": ...
             ...
        
      5. Make sure the browser does not hold an AM session (clear cookies)
      6. Go to http://am.example.com:18080/am/oauth2/device/user and insert the user code

        Expected behaviour

        The user is redirected to the AM login page
        

        Current behaviour

        Internal server error (500)
        

        Comment

        If the user is already authenticated, it works and the consent page is displayed

        Attachments

          Issue Links

            Activity

              People

              dipu.seminlal Dipu Seminlal
              nathalie.hoet Nathalie Hoet
              Filip Kubáň [X] Filip Kubáň [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: