Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14310

CheckSession page indicates the session is not valid

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.5.0
    • Fix Version/s: 6.5.2, 6.0.1, 7.0.0, 5.5.2
    • Component/s: OpenID Connect
    • Labels:
    • Sprint:
      AM Sustaining Sprint 60, AM Sustaining Sprint 61, AM Sustaining Sprint 62
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Setup an OIDC (with a CheckSession URI and all the standard OIDC stuff) and obtain a authorization code flow (so that there is an Ops token) and issue the checkSession as the testcase in  https://bugster.forgerock.org/jira/browse/OPENAM-7094_

       

      Although the CheckSession uses old draft. The bugs here may be good to keep track:

      a) The retrieved Session from CTS is in array and it is casted as String and fails due to exception

      b) The code uses isValidToken() and this refreshs the session. This is not correct and should be corrected,'

       

      So the issue is that the endpoint does not seem to do much since the does not seem to work and the CheckSession script always is false and debug shows

       

      LOGS:

      OAuth2Provider:01/24/2019 04:55:34:665 PM SGT: Thread[http-nio-8080-exec-8,5,main]: TransactionId[29b7719b-721e-4063-a00a-31135d167d22-14520]
      ERROR: Unable to get the SSO token
      org.forgerock.json.JsonValueException: /ops: Expecting a java.lang.String
              at org.forgerock.json.JsonValue.expect(JsonValue.java:762)
              at org.forgerock.json.JsonValue.asString(JsonValue.java:652)
              at org.forgerock.openidconnect.CheckSession.getValidSession(CheckSession.java:135)
              at org.forgerock.openidconnect.restlet.OpenIDConnectCheckSessionEndpoint.getDataModel(OpenIDConnectCheckSessionEndpoint.java:117)
              at org.forgerock.openidconnect.restlet.OpenIDConnectCheckSessionEndpoint.checkSession(OpenIDConnectCheckSessionEndpoint.java:98)
              at org.forgerock.openidconnect.restlet.OpenIDConnectCheckSessionEndpoint.checkSession(OpenIDConnectCheckSessionEndpoint.java:85)
              at sun.reflect.GeneratedMethodAccessor106.invoke(Unknown Source)
      

       

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Create an OIDC client
      2. Add a ClientSession URI
      3. Obtain an authorization code flow to get the id_token
      4. Submit the idtoken to the checkSession like
      curl -s -o --request GET --header "Referer: http://www.example.com?id_token=eyAidHlwIjogI..."
      http://openam.example.com:8080/openam/oauth2/connect/checkSession
      
      1. Notice the returned page and check also the exception above
                  function getBrowserState(){
                    var validSession = false; <--- ALWAYS FALSE
      
                    if (!validSession){
                         return "";
                     }
      
      Expected behaviour
      The browser state should be true for valid session
      
      Current behaviour
      Always false and also so the checkSession endpoint also does not work
      

      Work around

      None

      • The JWT payload from session ops is in an Array form and the code is casting it to
        String an false.
      CheckSession.java
      132                JsonValue idTokenUserSessionToken = tokenAdapter.fromToken(cts.read(opsId.asString()));
      133                sessionId = idTokenUserSessionToken.get(LEGACY_OPS);
      134            }
      135            SSOToken ssoToken = ssoTokenManager.createSSOToken(sessionId.asString()); <--- // sessionId is AN ARRAY
      136            return ssoTokenManager.isValidToken(ssoToken);
      
      • Also ssoTokenManager.isValidToken(ssoToken); ALWAYS REFRESH the SSOToken if this is fixed. SO THIS needs to be ssoTokenManager.isValidToken(ssoToken, false)

       A fix

      +                 sessionId = idTokenUserSessionToken.get(LEGACY_OPS).stream().findFirst().orElse(null);
      +            }
      +            if (sessionId != null) {
      +                SSOToken ssoToken = ssoTokenManager.createSSOToken(sessionId.asString());
      +                return ssoTokenManager.isValidToken(ssoToken, false);
      +            }
      +            return false;
      

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: