Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14233

updated_at claim in the ID Token is returned as a string and not a number

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.5.0
    • Fix Version/s: 13.5.3, 6.5.1, 6.0.1, 7.0.0, 5.5.2
    • Component/s: OpenID Connect
    • Sprint:
      AM Sustaining Sprint 59
    • Story Points:
      3
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      The updated_at claim is output as a string instead of a number as outlined in https://openid.net/specs/openid-connect-core-1_0.html

      updated_at number Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

       

      1. Create ID Token with update_at
      2. Check the claims in the token with 
        curl -X POST -d "id_token=$IDTOKEN" http://openam.example.com:8080/openam/oauth2/idtokeninfo
      3. Notice the update_at is in a string format
      Expected behaviour
      updated_at should be returned as a number as outlined in the specs
      
      Current behaviour
      updated_at is returned as a string

      Work around

       None

      Code analysis

       

      OpenAMScopeValidator.java
      
      private String getUpdatedAt(String username, String realm, OAuth2Request request) throws NotFoundException {
          try {
              final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
              String modifyTimestampAttributeName;
              String createdTimestampAttributeName;
              try {
                  modifyTimestampAttributeName = providerSettings.getModifiedTimestampAttributeName();
                  createdTimestampAttributeName = providerSettings.getCreatedTimestampAttributeName();
              } catch (ServerException e) {
                  logger.error("Unable to read last modified attribute from datastore", e);
                  return DEFAULT_TIMESTAMP;
              }
      
              if (modifyTimestampAttributeName == null && createdTimestampAttributeName == null) {
                  return null;
              }
      
              final AMHashMap timestamps = getTimestamps(username, realm, modifyTimestampAttributeName,
                      createdTimestampAttributeName);
              final String modifyTimestamp = CollectionHelper.getMapAttr(timestamps, modifyTimestampAttributeName);
      
              if (modifyTimestamp != null) {
                  synchronized (TIMESTAMP_DATE_FORMAT) {
                      return Long.toString(TIMESTAMP_DATE_FORMAT.parse(modifyTimestamp).getTime() / 1000);
                  }
              } else {
                  final String createTimestamp = CollectionHelper.getMapAttr(timestamps, createdTimestampAttributeName);
      
                  if (createTimestamp != null) {
                      synchronized (TIMESTAMP_DATE_FORMAT) {
                          return Long.toString(TIMESTAMP_DATE_FORMAT.parse(createTimestamp).getTime() / 1000);
                      }
                  } else {
                      return DEFAULT_TIMESTAMP;
                  }
              }
          } catch (IdRepoException e) {
              if (logger.errorEnabled()) {
                  logger.error("ScopeValidatorImpl" +
                                  ".getUpdatedAt: " +
                                  "error searching Identities with username : " +
                                  username,
                          e
                  );
              }
          } catch (SSOException e) {
              logger.warning("Error getting updatedAt attribute",
                      e);
          } catch (ParseException e) {
              logger.warning("Error getting updatedAt attribute", e);
          }
      
          return null;
      

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              abel.hoxeng Abel Hoxeng
            • Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: