Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13842

OAuth2 Device flow - can no longer use user_code more than once

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0
    • Fix Version/s: 6.5.0, 6.0.1, 5.5.2
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 56
    • Story Points:
      3
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Posting the user_code more than once to /oauth2/device/user returns a 500 error. Previously OPENAM-10130 was closed (as not a defect) to say "spec currently defines this as a short-lived token but doesn't state single usage".

      I think this was introduced in OPENAM-11591.

      How to reproduce the issue

      1. Create OAuth2 Provider
      2. Create an OAuth2 Client
      3. Get a user_code from /oauth2/device/code
      4. Use user_code at /oauth2/device/user (I used the XUI for this step)
      5. Repeat Step 4
      Expected behaviour
      Should return message "Done"
      Current behaviour
      Returns 500 error

      Work around

      None that I can see

      Code analysis

      org/forgerock/oauth2/restlet/DeviceCodeVerificationResource.java
      if (key.equals(Params.REALM)) {
       try {
              restletRequest.getAttributes().put(RestletRealmRouter.REALM_OBJECT, Realms.of(extractedValue));
          } catch (RealmLookupException rle) {
       throw OAuthError.SERVER_ERROR.handle(restletRequest,
       "An unexpected error occurred whilst handling the request");
          }
      }
      

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              aaron.haskins Aaron Haskins
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: