Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14337

Fail gracefully when request OIDC token using "Pairwise" Subject Type and no Redirection URI is configured in client


    • Sprint:
      AM Sustaining Sprint 60, AM Sustaining Sprint 61, AM Sustaining Sprint 62
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      When requesting an OIDC token from AM and Pairwise Subject Type has been selected, the client needs to be configured with a Redirect URI. This is the case even if the request for token does not specify the redirect URI

      How to reproduce the issue

      1 login to admin console
      2 click [Services] menu -> [OAuth2 Provider] -> [Advanced]

      • Add pairwise to "Subject Types supported: public" field
      • Type in "changeme" in "Subject Identifider Hash Salt" field

      3 click [Save Changes] button
      4 click [Applications] menu -> [ > OAuth 2.0] -> [ > Clients] -> [ + Add Client]

      • Client ID: myClientID
      • Client secret: <password>
      • Redirection URIs : <leave this field empty>
      • Scope(s): cn openid profile

      5 [Create] button
      6 Under "myClientID" created in step 4, click [Advanced] tab

      • Add "Client Credentials" to the list of "Grant Types" field
      • Change "Subject Type" drop down list from "Public" to "Pairwise"
        7 [Save Changes] button

      If OIDC client has no "Redirect URIs" configured, even if the request doesn't specify or need it, AM returns 500 error :

      curl -v --request POST --user "myClientID:cangetin" --data 'grant_type=client_credentials&scope=openid' -k -v "http://openam.example.com:18080/openam/oauth2/access_token"
      Note: Unnecessary use of -X or --request, POST is already inferred.
      *   Trying
      {"error_description":"Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request", "error": "server_error"}

      The debug logs for OAuth2Provider throw this generic exception:

      o.f.o.r.ExceptionHandler: 2019-03-07 15:05:58,517: Thread[http-nio-18080-exec-1]: TransactionId[51efa186-87df-4e8b-b107-513ef1e8a96a-9076]
      ERROR: Unhandled exception:
      org.restlet.resource.ResourceException: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:527)
              at org.restlet.resource.ServerResource.post(ServerResource.java:1341)
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:606)
      Caused by: java.util.NoSuchElementException: null
              at java.util.HashMap$HashIterator.nextNode(HashMap.java:1439)
              at java.util.HashMap$KeyIterator.next(HashMap.java:1461)
              at org.forgerock.openam.oauth2.OpenAMClientRegistration.containsMultipleRedirectUriHosts(OpenAMClientRegistration.java:1027)
              at org.forgerock.openam.oauth2.OpenAMClientRegistration.getSubValue(OpenAMClientRegistration.java:1014)
              at org.forgerock.openam.oauth2.token.OpenIdConnectTokenStore.createOpenIDToken(OpenIdConnectTokenStore.java:181)
              at org.forgerock.openidconnect.OpenIDTokenIssuer.lambda$issueToken$0(OpenIDTokenIssuer.java:75)
              at org.forgerock.util.LambdaExceptionUtils.lambda$rethrowSupplier$2(LambdaExceptionUtils.java:166)
              at org.forgerock.oauth2.core.StatefulAccessToken.lambda$toMap$0(StatefulAccessToken.java:332)
              at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
              at java.util.HashMap$EntrySpliterator.forEachRemaining(HashMap.java:1691)
              at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
              at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
              at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
              at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
              at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
              at org.forgerock.oauth2.core.StatefulAccessToken.toMap(StatefulAccessToken.java:333)
              at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:83)

      This RFE is to request to consider:

      1. Is it necessary to include the redirect uri in the client if it's not being used, and if so:
      2. provide a more graceful and descriptive error in the debug logs to indicate client requires a value for redirect_uri
      3. possibly provide a more descriptive error in the REST response and/or fail more gracefully than a 500.




            • Assignee:
              sachiko Sachiko Wallace
              mark.nienaber@forgerock.com Mark Nienaber
            • Votes:
              0 Vote for this issue
              5 Start watching this issue


              • Created: