-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0
-
Component/s: OpenID Connect
-
Labels:
Bug description
The 'issuer' value in the .well-known/openid-configuration output does not match the URL that requested it when a sub-realm is part of the request.
Note that this behaviour in 6.0.0.2 onward is different to the initial 6.0 release and also different to earlier releases due to OPENAM-12784
How to reproduce the issue
1). Install AM 6.0.0.5 and simply create a sub-realm, eg. named IDP and configure for OIDC using the wizard.
2). Request (specifying realm not using DNS alias) using the following format:
http://openam.example.com:8080/AM6/oauth2/IDP/.well-known/openid-configuration
3). Inspect the results and note:
"issuer":"http://openam.example.com:8080/AM6/oauth2/realms/root/realms/IDP"
Expected behaviour (as seen in AM 6.0.0.1 and earlier releases)
Request: http://openam.example.com:8080/AM6/oauth2/IDP/.well-known/openid-configuration From the response: "issuer":"http://openam.example.com:8080/AM6/oauth2/IDP
Current behaviour
Request: http://openam.example.com:8080/AM6/oauth2/IDP/.well-known/openid-configuration From the response: "issuer":"http://openam.example.com:8080/AM6/oauth2/realms/root/realms/IDP"
- caused
-
OPENAM-16697 Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format
-
- Resolved
-
- is caused by
-
OPENAM-12784 ProviderConfiguration is not spec compliant
-
- Closed
-