Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14791

AM does not return scope attribute in response when granted scope is empty

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.2, 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: oauth2
    • Target Version/s:
    • Rank:
      1|hzwn0n:

      Description

      Bug description

      The newly re-added JWT bearer grant type handler can return different scopes to what the client requested if the JWT contains a "scope" attribute indicating what the user has consented to. In this case https://tools.ietf.org/html/rfc6749#section-5.1 says that the "scope" attribute must be returned in the token endpoint response indicating the actual granted scope. If the set of scopes allowed ends up being empty then the "scope" attribute is not returned in the response but the client still gets a (useless) access token.

      How to reproduce the issue

      1. Configure an OAuth 2 client with the JWT Bearer grant type with allowed scopes = "test"
      2. Create a Trusted JWT Issuer
      3. Issuer a JWT from the issuer with a scope=openid claim in the JWT
      4. Perform a JWT bearer grant flow to obtain an access token with scope=test
      Expected behaviour

      Response should either be a failure because no scopes granted or else should have the "scope":"" attribute in the response to inform the client that different scopes were granted to what they requested.

      Current behaviour

      Successful response with no "scope" attribute. Introspecting the token shows empty scopes.

      Work around

      n/a

      Code analysis

      This code inside JwtBearerGrantTypeHandler (and AuthorizationCodeGrantTypeHandler, ClientCredentialsGrantTypeHandler, ...) is the cause:

                  if (permittedScope != null && !permittedScope.isEmpty()) {
                      accessToken.addExtraData(SCOPE, () -> Utils.joinScope(permittedScope));
                  }
       

        Attachments

          Activity

            People

            • Assignee:
              kajetan.hemzaczek Kajetan Hemzaczek
              Reporter:
              neil.madden Neil Madden
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: