Details

    • Sprint:
      AM Sustaining Sprint 60, AM Sustaining Sprint 61
    • Story Points:
      1
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      typo and wrong method call in Claims.java

      How to reproduce the issue

      Basic steps on how to setup remote consent service is described in OAuth2 Guide : https://backstage.forgerock.com/docs/am/5.5/oauth2-guide/#oauth2-implement-remote-consent

      NOTE: you need to enable `Enable "claims_parameter_supported"` parameter on [Advanced OpenID Connect] tab under OAuth2Provider

      After setting up remote consent service, you need to add claims request parameter to authorize request
      http://openam.example.com:18080/openam/oauth2/authorize?response_type=code&client_id=myClientID&realm=%2F&scope=openid&redirect_uri=http%3A%2F%2Fopenam.example.com%3A18080%2Fopenid%2Fcb-basic.html&state=af0ifjsldkj&claims=%7B%22userinfo%22%3A%7B%22phone_number%22%3A%20%7B%22essential%22%3A%20true%7D%7D%2C%20%22id_token%22%3A%7B%22email%22%3A%20%7B%22essential%22%3A%20true%7D%7D%7D

      /authorize endpoint will then redirect the request to
      http://openam.example.com:28080/opensso/oauth2/consent?consent_request=eyJ0eXAiOiJKV1Q....

      When you decode this JWT string, you will notice that
      1. claims attribute contains `user_info` instead of `userinfo`
      2. userinfo claims are overwritten by what was in id_token claim request

      {"clientId":"myClientID",
      "iss":"http://openam.example.com:18080/opensso/oauth2",
      "csrf":"9gbvH+9239U3UPyLk+QdeiJol8yGK5OHDZPDrgEaKcY=",
      "client_description":"",
      "aud":"myRCSAgent",
      "save_consent_enabled":true,
      "claims":{"user_info":{"email":{"essential":true}},"id_token":{"email":{"essential":true}}},  <--- HERE
      "scopes":{"openid":null},
      "exp":1551747798,
      "iat":1551747618,
      "client_name":"myClientID",
      "consentApprovalRedirectUri":"http://openam.example.com:18080/opensso/oauth2/authorize?response_type=code&client_id=myClientID&realm=%2F&scope=openid&redirect_uri=http%3A%2F%2Fopenam.example.com%3A18080%2Fopenid%2Fcb-basic.html&state=af0ifjsldkj&claims=%7B%22userinfo%22%3A%7B%22phone_number%22%3A%20%7B%22essential%22%3A%20true%7D%7D%2C%20%22id_token%22%3A%7B%22email%22%3A%20%7B%22essential%22%3A%20true%7D%7D%7D","username":"amadmin"}
      

      Note that consentApprovalRedirectUri contains the correct information. So when the user access /userinfo endpoint, user will get the correct claims.

      Expected behaviour
      claim should return userinfo rather than user_info and contents should return user info rather than what's defined under id_token claim request
      
      Current behaviour
      claim is returned as "user_info" and contents are that of id_token claim request
      
      Code Analysis

      There's a typo in the 'user_info', this should be 'userinfo'. The foreach for putting data into the userInfoClaims actually uses the getIdTokenClaims() in stead. I think it should be like this:

      
          public Map<String, Object> asMap() {
              Map<String, Object> claims = new HashMap<>();
              if (!getIdTokenClaims().isEmpty()) {
                  Map<String, Object> idTokenClaims = new HashMap<>();
                  for (Claim claim : getIdTokenClaims().values()) {
                      idTokenClaims.put(claim.getNameWithLocale(), claim.asMap());
                  }
                  claims.put("id_token", idTokenClaims);
              }
              if (!getUserInfoClaims().isEmpty()) {
                  Map<String, Object> userInfoClaims = new HashMap<>();
                  for (Claim claim : getIdTokenClaims().values()) {
                      userInfoClaims.put(claim.getNameWithLocale(), claim.asMap());
                  }
                  claims.put("user_info", userInfoClaims);
              }
              return claims;
          }
      

      The only place using this asMap() is in the RemoteConsentAgentConfiguration.java. 

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                mark.nienaber@forgerock.com Mark Nienaber
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: