Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14825

OAuth2 Dynamic Registration with Software Statement triggers objectClass=* search

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.0.1, 6.5.1
    • Fix Version/s: 6.5.2, 6.0.1, 7.0.0, 5.5.2
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 62
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When dynamically creating OAuth2 clients using a software statement, it triggers objectClass=* searches. When lots of clients are registered/registering, the search causes performance issues.

      How to reproduce the issue

      1. Create a profile for the Software Statement (Applications > Agents > Software Publisher) using the same values as mentioned in https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/#register-oauth2-client-dynamic-software-statement-example
      2. Enable Allow Open Dynamic Client Registration (no need for Master Client access token then) in Services > OAuth2 Provider > Client Dynamic Registration
      3. curl -X POST \
          http://openam.example.com:8088/openam/oauth2/connect/register \
          -H 'Content-Type: application/json' \
          -H 'cache-control: no-cache' \
          -d '{
         "redirect_uris": ["https://client.example.com:8443/callback"],
         "client_name": "SoftStateTest",
         "client_uri": "https://client.example.com/",
         "software_statement": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2NsaWVudC5leGFtcGxlLmNvbSIsImlhdCI6MTU1NjI4Nzc5MiwiZXhwIjoxNTg3ODIzNzkyLCJhdWQiOiJodHRwOi8vb3BlbmFtLmV4YW1wbGUuY29tOjgwODgvb3BlbmFtL29hdXRoMiIsInN1YiI6IjROUkIxLTBYWkFCWkk5RTYtNVNNM1IiLCJyZWRpcmVjdF91cmlzIjpbImh0dHBzOi8vY2xpZW50LmV4YW1wbGUuY29tL2NhbGxiYWNrIl19.pq9UqSSU2DJkIidp3ZJS1oQ-BE0DuTwJ5nKjBCG4ves"
         }'
      1. Search client_id (not client name) generated in DS LDAP access log files
      Expected behaviour
      A less impacting, quicker search
      Current behaviour
      objectClass=*
      

      Work around

      None

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                aaron.haskins Aaron Haskins
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: