Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13465

Dynamic client registration sets wrong subjectType

    Details

    • Sprint:
      AM Sustaining Sprint 55, AM Sustaining Sprint 56, AM Sustaining Sprint 57, AM Sustaining Sprint 58, AM Sustaining Sprint 73
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Dynamic client registration sets wrong subjectType

      How to reproduce the issue

      Follow dynamic client registration outlined in the manual :
      https://backstage.forgerock.com/docs/am/5/oidc1-guide/#openam-openid-client-registration

      1. run the following command. notice subjectType has all lowercase "public" :

      curl -v --request POST  --header "Content-Type: application/json" --data '{"redirect_uris":["http://openam.example.com:18080/openid/cb-basic.html","http://openam.example.com:18080/openid/cb-implicit.html"],"client_name":"Dynamically Registered Client", "subjectType":"public"}' http://openam.example.com:18080/openam/oauth2/register
      

      2. login to XUI admin console, click [Applications] -> [OAuth2.0] -> select registered client -> [Advanced] tab. notice "Subject Type" is set to "Pairwise".

      If you happen to save the client profile then the AM admin console changes the Subject Type to Pairwise which breaks the client.

      Expected behaviour
      subjectType should be set to the value that has been sent during registration.
      
      Current behaviour
      XUI displays "Subject Type" as "Pairwise". If you happen to save the client profile then the AM admin console changes the Subject Type to Pairwise which breaks the client.
      

      Work around

      Make sure to use "Public" or "Pairwise" ('P' in uppercase) as defined in AgentService.xml service schema

      Code analysis

      There are two issues. First one is that Client.SubjectType defines the value with all lowercase which is different from what's defined in AgentService.xml service schema.

      org.forgerock.oauth2.core.Client.java
          public enum SubjectType {
              /** Pairwise Subject Type. */
              PAIRWISE("pairwise"),
              /** Public Subject Type. */
              PUBLIC("public");
      

      Second one is DynamicClientRegistrationService.createRegistration() should check if the value that's passed in matches with Client.SubjectType.PUBLIC or PAIRWISE in case ignore manner and use those constants value instead.

      org.forgerock.oauth2.registration.DynamicClientRegistrationService.java
          public JsonValue createRegistration(String accessToken, String deploymentUrl, OAuth2Request request)
                  throws OAuth2Exception, RealmLookupException {
          :
      if (input.get(SUBJECT_TYPE.getType()).asString() != null) {
                      if (providerSettings.getSupportedSubjectTypes().contains(input.get(SUBJECT_TYPE.getType()).asString())) {
                          clientBuilder.setSubjectType(input.get(SUBJECT_TYPE.getType()).asString());
                      } else {
                          logger.error("Invalid subject_type requested.");
                          throw new InvalidClientMetadata("Invalid subject_type requested");
                      }
                  } else {
                      clientBuilder.setSubjectType(Client.SubjectType.PUBLIC.getType());
                  }
      

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              sachiko Sachiko Wallace
            • Votes:
              6 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: