Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14231

Passing in a JWT (with jku in the header) to the authorize endpoint fails

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1
    • Fix Version/s: 6.5.2, 7.0.0
    • Component/s: None
    • Labels:
    • Sprint:
      2019.4 - Coins
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      Bug description

      Passing in a JWT, that defines a jku in the header, to the authorize endpoint fails. The JWT is passed in using the request parameter. Example JWT: 

      eyJhbGciOiJIUzI1NiIsImtpZCI6ImIvTzZPdlZ2MSt5K1dnckg1VWk5V1Rpb0x0MD0iLCJqa3UiOiJodHRwOi8vb3BlbmFtLmV4YW1wbGUuY29tOjgwODAvb2F1dGgyL2Nvbm5lY3QvandrX3VyaSJ9.eyJhdF9oYXNoIjoiREViNGF0dmk2QWw3MGlhRkNrbDZJUSIsInN1YiI6Im15T0F1dGgyQ2xpZW50IiwiYXVkaXRUcmFja2luZ0lkIjoiNDk4MmJlYzktNjgwYS00M2UzLWEzMmUtZDg4N2I5MmVjNTFhLTg4OCIsImlzcyI6Imh0dHA6Ly9vcGVuYW0uZXhhbXBsZS5jb206ODA4MC9vcGVuYW0vb2F1dGgyIiwidG9rZW5OYW1lIjoiaWRfdG9rZW4iLCJhdWQiOiJteU9BdXRoMkNsaWVudCIsImF6cCI6Im15T0F1dGgyQ2xpZW50IiwiYXV0aF90aW1lIjoxNTQ3MTM4NzEzLCJyZWFsbSI6Ii8iLCJleHAiOjE1NDcxNDIzMTMsInRva2VuVHlwZSI6IkpXVFRva2VuIiwiaWF0IjoxNTQ3MTM4NzEzfQ.539OBPj-o8Wo2aWfo-aAv8V_yGAhAD7vDcmqAG_1v38

      How to reproduce the issue

      1. Configure AS and client in AM
      2. Get a JWT, adding jku to the header. See/use/modify example above.
      3. Go to authorize endpoint using something like: http://openam.example.com:8080/openam/oauth2/authorize?client_id=myOAuth2Client&response_type=code%20id_token&scope=profile&nonce=abcdef&request=<enter_JWT_here>
      Expected behaviour
      Continue to consent stage
      Current behaviour
      OAuth2Provider debug log:
      WARNING: An unexpected exception occurred while handling an OAuth2 request
      Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
      ...
      Caused by: org.forgerock.json.jose.exceptions.JwtRuntimeException: Value is not of the required type. Required, java.net.URL, actual, java.lang.String

      Work around

      None - OPENAM-11259 does but this is a REST STS related config property.

      Code analysis

      In the org.forgerock.json.jose.utils.Utils.parseJson method it uses the jackson object mapper which, for the field will return a Map<String,Object> which, in this case will have an entry for "jku" with the String value of "https://myExternalLocation.com/allTheKeys.jwks". Now in the parent class of JwsHeader (org.forgerock.json.jose.jws.JwtSecureHeader) constructor it will parse the parameters in the overridden setParameter (in the same JwtSecureHeader class). This will switch to the JKU case where the check this.checkValueIsOfType(value, URL.class); will now fail as the value is of type String and not URL.

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                aaron.haskins Aaron Haskins
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 4h
                  4h