Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14337

Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client

    Details

    • Sprint:
      AM Sustaining Sprint 60, AM Sustaining Sprint 61, AM Sustaining Sprint 62
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When requesting an OIDC token from AM and Pairwise Subject Type has been selected, the client needs to be configured with a Redirect URI. This is the case even if the request for token does not specify the redirect URI

      How to reproduce the issue

      1 login to admin console
      2 click [Services] menu -> [OAuth2 Provider] -> [Advanced]

      • Add pairwise to "Subject Types supported: public" field
      • Type in "changeme" in "Subject Identifider Hash Salt" field

      3 click [Save Changes] button
      4 click [Applications] menu -> [ > OAuth 2.0] -> [ > Clients] -> [ + Add Client]

      • Client ID: myClientID
      • Client secret: <password>
      • Redirection URIs : <leave this field empty>
      • Scope(s): cn openid profile

      5 [Create] button
      6 Under "myClientID" created in step 4, click [Advanced] tab

      • Add "Client Credentials" to the list of "Grant Types" field
      • Change "Subject Type" drop down list from "Public" to "Pairwise"
        7 [Save Changes] button

      If OIDC client has no "Redirect URIs" configured, even if the request doesn't specify or need it, AM returns 500 error :

      curl -v --request POST --user "myClientID:cangetin" --data 'grant_type=client_credentials&scope=openid' -k -v "http://openam.example.com:18080/openam/oauth2/access_token"
      Note: Unnecessary use of -X or --request, POST is already inferred.
      *   Trying 127.0.0.1...
       :
      {"error_description":"Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request", "error": "server_error"}
      

      The debug logs for OAuth2Provider throw this generic exception:

      o.f.o.r.ExceptionHandler: 2019-03-07 15:05:58,517: Thread[http-nio-18080-exec-1]: TransactionId[51efa186-87df-4e8b-b107-513ef1e8a96a-9076]
      ERROR: Unhandled exception:
      org.restlet.resource.ResourceException: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:527)
              at org.restlet.resource.ServerResource.post(ServerResource.java:1341)
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:606)
             :
      Caused by: java.util.NoSuchElementException: null
              at java.util.HashMap$HashIterator.nextNode(HashMap.java:1439)
              at java.util.HashMap$KeyIterator.next(HashMap.java:1461)
              at org.forgerock.openam.oauth2.OpenAMClientRegistration.containsMultipleRedirectUriHosts(OpenAMClientRegistration.java:1027)
              at org.forgerock.openam.oauth2.OpenAMClientRegistration.getSubValue(OpenAMClientRegistration.java:1014)
              at org.forgerock.openam.oauth2.token.OpenIdConnectTokenStore.createOpenIDToken(OpenIdConnectTokenStore.java:181)
              at org.forgerock.openidconnect.OpenIDTokenIssuer.lambda$issueToken$0(OpenIDTokenIssuer.java:75)
              at org.forgerock.util.LambdaExceptionUtils.lambda$rethrowSupplier$2(LambdaExceptionUtils.java:166)
              at org.forgerock.oauth2.core.StatefulAccessToken.lambda$toMap$0(StatefulAccessToken.java:332)
              at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
              at java.util.HashMap$EntrySpliterator.forEachRemaining(HashMap.java:1691)
              at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
              at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
              at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
              at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
              at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
              at org.forgerock.oauth2.core.StatefulAccessToken.toMap(StatefulAccessToken.java:333)
              at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:83)
      

        
      This RFE is to request to consider:

      1. Is it necessary to include the redirect uri in the client if it's not being used, and if so:
      2. provide a more graceful and descriptive error in the debug logs to indicate client requires a value for redirect_uri
      3. possibly provide a more descriptive error in the REST response and/or fail more gracefully than a 500.

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              mark.nienaber@forgerock.com Mark Nienaber
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: