Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14306

OAuth2 client secret - not all special characters require encoding

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: 6.5.0
    • Fix Version/s: None
    • Component/s: authentication, oauth2
    • Labels:
      None
    • Support Ticket IDs:

      Description

      Bug description

      Using client credentials flow, and passing the client ID and secret using Basic Auth, some special characters in the client secret require encoding, some don't. Examples of client secrets I tried:

      @something - did NOT require encoding
      $something - did NOT require encoding
      %something - did require encoding
      +something - did require encoding

      They should either all fail or all pass without encoding for consistency. When it fails, Authentication debug log contains:

       

      Invalid Password : failedUserId <client ID of unencoded client secret>
      amAuth:01/23/2019 03:51:32:646 PM GMT: Thread[http-bio-8080-exec-2,5,main]: TransactionId[af1f9187-1d99-4240-8afe-727acf4d1e7e-86180]
      Invalid Password : Exception
      com.sun.identity.authentication.spi.InvalidPasswordException: invalid password
       at com.sun.identity.idm.plugins.internal.AgentsRepo.authenticate(AgentsRepo.java:1100)
      ...

       

      How to reproduce the issue

      1. Create OAuth2 clients, different ones for different special characters
      2. Create OAuth2 Provider
      3. Request token from /access_token endpoint, using Basic Auth, for different clients
      Expected behaviour
      Successful authentication, get a token
      Current behaviour
      {
      "error_description": "Client authentication failed",
      "error": "invalid_client"
      }
      

      Work around

      Encode all client secrets

      Code analysis

      This is where the changes were made in OPENAM-13609 

      openam/openam-oauth2/src/main/java/org/forgerock/openam/oauth2/ClientCredentialsReader.java
      if (req.getChallengeResponse() != null) {
      final ChallengeResponse challengeResponse = req.getChallengeResponse();
      
      clientId = challengeResponse.getIdentifier();
      clientSecret = "";
      if (challengeResponse.getSecret() != null && challengeResponse.getSecret().length > 0) {
      try {
      clientSecret = URLDecoder.decode(String.valueOf(req.getChallengeResponse().getSecret()),
      StandardCharsets.UTF_8.name());
      } catch (UnsupportedEncodingException e) {
      logger.error(e.getMessage());
      throw new InvalidRequestException("Client secret was not UTF-8 encoded.");
      }
      }
      
      method = CLIENT_SECRET_BASIC;
      }

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                aaron.haskins Aaron Haskins
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: