Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14834

JWT bearer grant implementation finds trusted JWT issuers by performing an unindexed search

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: oauth2
    • Labels:
    • Target Version/s:
    • Sprint:
      AM 2019.7 - Lighthouse
    • Support Ticket IDs:

      Description

      Bug description

      During the JWT validation process, the trusted JWT issuers are looked up in the hopes of finding a trusted issuer that has the same issuer value as the provided JWT. The problem is that this lookup ignores the provided issuer parameter, and instead performs a search like this:

      [29/Apr/2019:15:08:10 +0100] SEARCH REQ conn=9 op=502 msgID=503 base="ou=default,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,dc=openam,dc=forgerock,dc=org" scope=one filter="(&(&(objectclass=top)(ou=*))(&(objectclass=top)(sunserviceID=TrustedJwtIssuer)))" attrs="o"
      

      How to reproduce the issue

      curl --request POST \
        --url https://openam.dev:443/oauth2/access_token \
        --header 'content-type: application/x-www-form-urlencoded' \
        --data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&scope=uid&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkZW1vIiwiaXNzIjoid2hvYW1pIiwiYXVkIjoiaHR0cHM6Ly9vcGVuYW0uZGV2OjQ0My9vYXV0aDIiLCJleHAiOjE1NTY1NTYzNDh9.Th7ieNLF1A6DQmqVhGi_f_zm71QxNiEZT3C5kbjcC8TUNjwMwyalxHxXyoh0OnBHgFERQqA8T7vruEggtnkhTF63PmYPBKSAYf9m4qZQF_xcmuFVotE-wvO2JJ28TnPkcjIierU7aW36nYPXZsnnCSvkPWPzyuVtDPopkiwfvx2IV2wItWosLReG0c4dmOiNUMyb00yuOu75puL0DHhz9RFxbjy-e0j_do5Sd8U2kkqR2KqCxU0vFS2iF7Q-VcEcUC3AV71dPDf8mxmKIamlc0vRTep_PwOzhPYYovwAqWK-4xP6yogZFLUYb0NgLH71RNT2iJwsAPpqkkrH67FM4tWYIGfEQ40RvQDP2nhqnJf4eEXqRoj5IoGCMlnNISync6JT02p9qULP0ZQsb_qgTWlnGyH3a60dpqzIBcxY7s1lRZDvWFBa6TLLtPJUm9U1Xrp_g9Is1ZvF6JWq0x0hMXLI5pKckS7mkJw1c44C_prIYScUm5OMnthr5hBcNEeYZFlFpZTkdZWd-ak4cwohTxdWpAG7pWL5WD72LLQbuEkFlvsagTil9jbtuw9-_MfdHexF98BANGun07E48xXCETPtvJkQ9r5ZKBTnVPt0DuamO58aV18RPal0LZoMzBcEnb9x68En_SBrqcZZUjwFHlUhTYIfK3wTuu6akpg183g&client_id=myclient&client_secret=secret'
      

      The above JWT needs to be updated to contain a better exp value.

      Expected behaviour

      Trusted JWT issuer lookup is performant.

      Current behaviour

      unindexed search is performed, there is no equality index on the sunServiceID attribute by default.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                peter.major Peter Major [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: