Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13900

OAuth2 Device flow - duplicate user_code error after authenticating user

    Details

    • Sprint:
      AM Sustaining Sprint 56, AM Sustaining Sprint 57
    • Story Points:
      2
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Performing a user_code authorization flow (see OPENAM-13842) results in Invalid Request, duplicate request parameter found : user_code after user authentication.

      How to reproduce the issue

      Similar to OPENAM-13842...

      1. Setup OIDC provider in top level realm (from realm dashboard), created oauth2 client testoauth, and then added Device Code grant type.
      2. Started device code flow using: curl -k --request POST 'https://openam.amtest2.com:8443/access/oauth2/realms/root/device/code?response_type=token&scope=profile&client_id=testoauth' -H 'Accept-API-Version: protocol=1.0,resource=2.0' -H 'Content-Type: application/json'
      3. Then with user code returned in above, used url: https://openam.amtest2.com:8443/access/oauth2/device/user?scope=profile&client_id=testoauth&response_type=token&user_code=<user_code>
      4. Logged in.
      5. After login, see an error - Invalid Request, duplicate request parameter found : user_code.
      Expected behaviour
      Flow progresses to the consent page
      
      Current behaviour
      See error message, Invalid Request, duplicate request parameter found : user_code
      

      Work around

      Edit the url in the address bar of the browser to remove the duplicate user_code parameter and resubmit to resume the flow and reach the consent page.

      Code analysis

      Many thanks to Adam Heath for investigation here... The following code needs an additional check to only add the user_code to the gotoUrl if it is not already present.  (Or perhaps better to strip any existing user_code before adding the current one - in case the user_code already present is incorrect).

      ResourceOwnerSessionValidator#authenticationRequired
      String gotoUrl = getGotoUrl(request); 
      if (request.getParameter(USER_CODE) != null) { 
          gotoUrl += param(gotoUrl, USER_CODE, request.getParameter(USER_CODE)); 
      }
      

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              lawrence.yarham Lawrence Yarham
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: