Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14642

OIDC Dynamic Client Registration registration_client_uri uses only Host header not BaseURL

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 6.5.0.1, 6.0.0.7, 6.5.1, 6.5.0.2
    • Fix Version/s: 6.5.2, 6.0.1, 5.5.2
    • Component/s: OpenID Connect
    • Labels:
    • Sprint:
      AM Sustaining Sprint 61, AM Sustaining Sprint 62
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Create a OIDC dynamic Client registration and configure a BaseURL provide (fixed) and generate this new client. The generated client always uses the "Host" header and not the configured BaseURL provider

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Create a subrealm and a OAuth2/OIDC service
      2. Enable Dynamic Client Registration (or Open Dynamic Client Registration)
      3. Create a OAuth2 OIDC client say myOIDCClient
      4. Get an access token for myOIDCClient (say this access token is $AT)
      5. Setup a BaseURL (fixed) (may need this to be host to be in DNS alias)
      6. Generate a Client registration
        curl \
          -D - \
          -s -k \
          -X POST \
          -H "Host: somehost:someport" \
          -H "Content-type: application/json" \
          -H "Authorization: Bearer $AT" \
          --data '{
           "application_type": "web",
           "redirect_uris": ["http://localhost/test.jsp", "https://client.example.org/callback", "https://client.example.org/callback2"],
           "client_name": "My Example",
           "logo_uri": "https://client.example.org/logo.png",
           "subject_type": "public",
           "token_endpoint_auth_method": "client_secret_basic",
           "jwks_uri": "https://client.example.org/my_public_keys.jwks",
           "userinfo_encrypted_response_alg": "RSA1_5",
           "userinfo_encrypted_response_enc": "A128CBC-HS256",
           "contacts": ["ve7jtb@example.org", "mary@example.org"],
           "request_uris": ["https://client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA"],
           "default_max_age": 43200,
           "access_token_lifetime": 3600,
           "jwt_token_lifetime": 43200,
           "scopes": ["openid","profile"],
           "claimsRedirectionUris": [ "http://test.com" ],
           "grant_types": ["authorization_code", "implicit" ]
        }' <openam-url>/openam/oauth2/register?realm=${realm}
        
      7. Observe the payload generated for registration_client_uri
        {"request_object_encryption_alg":"","default_max_age":43200,"application_type":"web","userinfo_encrypted_response_enc":"A128CBC-HS256","registration_client_uri":"<openam-host></openam/oauth2/realms/root/realms/dynamic/register?client_id=84ed9278-9f8e-4e23-b622-7d706d6ce6a4","client_type":"Confidential","userinfo_encrypted_response_alg":"RSA1_5","registration_access_token":"z4udB3B8FIyFR_yRU4dGZBPL6gw","client_id":"84ed9278-9f8e-4e23-b622-7d706d6ce6a4","token_endpoint_auth_method":"client_secret_basic","userinfo_signed_response_alg":"","public_key_selector":"jwks_uri","scope":"openid profile","authorization_code_lifetime":0,"client_secret":"jc0oiPBcH1LCtEa8PkbAT6qZSmU","user_info_response_format_selector":"ENCRYPTED_JWT","client_name":"My Example","id_token_signed_response_alg":"HS256","default_max_age_enabled":true,"subject_type":"public","jwt_token_lifetime":3600,"id_token_encryption_enabled":false,"redirect_uris":["http://localhost/test.jsp","https://client.example.org/callback","https://client.example.org/callback2"],"id_token_encrypted_response_alg":"RSA1_5","id_token_encrypted_response_enc":"A128CBC_HS256","client_secret_expires_at":0,"access_token_lifetime":3600,"jwks_uri":"https://client.example.org/my_public_keys.jwks","refresh_token_lifetime":0,"scopes":["openid","profile"],"request_object_signing_alg":"","contacts":["ve7jtb@example.org","mary@example.org"],"response_types":["code"]}
        
      Expected behaviour
      The BaseURL is used for the registration_client_uri
      
      Current behaviour
      It seems that the "Host" header is used to construct the registration_client_uri  during client registration on 6.5.0.1 and before
      

      Work around

      If possible make the LB uses PreserveHostHeader to ensure the Host header is has the right value

      Code analysis

       

      DynamicClientRegistration.java
      Currently uses the Host header and not the BaseURL if it exists
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: