Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14848

Insufficient debug logging in OpenID Connect authentication module

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.5.0, 14.5.1, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 6.5.0.1, 6.5.1, 6.5.0.2
    • Fix Version/s: 6.5.2, 7.0.0
    • Component/s: authentication
    • Labels:
    • Environment:
      Oracle JDK 1.8.0_201-b09
      Apache Tomcat/9.0.8
      AM 6.5.1
    • Sprint:
      AM Sustaining Sprint 63
    • Story Points:
      1
    • Support Ticket IDs:

      Description

      Bug description

      No message level debug information about the provided ID Token shows up in Authentication debug log when using the OpenID Connect id_token bearer authentication module.

      How to reproduce the issue

      1. Perform authentication using the OpenID Connect id_token bearer module
      Expected behaviour
      Details about what is going on in the module is needed for troubleshooting customer issues.
      Current behaviour
      Only errors are logged.
      

       

      Code analysis

      org.forgerock.openam.authentication.modules.oidc.OpenIdConnect.java
      ...
      @Override
      public int process(Callback[] callbacks, int state) throws LoginException {
          final HttpServletRequest request = getHttpServletRequest();
          final String jwtValue = request.getHeader(config.getHeaderName());
          if (jwtValue == null || jwtValue.isEmpty()) {
              logger.error("No OpenIdConnect ID Token referenced by header value: " + config.getHeaderName());
              throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_MISSING_HEADER, null);
          }
      
          JwtClaimsSet jwtClaims = jwtHandler.validateJwt(jwtValue);
      
          if (!JwtHandler.isIntendedForAudience(config.getAudienceName(), jwtClaims)) {
              logger.error("ID token is not for this audience.");
              throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_ID_TOKEN_BAD_AUDIENCE, null);
          }
          if (JwtHandler.jwtHasAuthorizedPartyClaim(jwtClaims)) {
              if (!JwtHandler.isFromValidAuthorizedParty(config.getAcceptedAuthorizedParties(), jwtClaims)) {
                  logger.error("ID token was received from invalid authorized party.");
                  throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_INVALID_AUTHORIZED_PARTY, null);
              }
          }
          principalName = mapPrincipal(jwtClaims);
          storeUsername(principalName);
      
          if (jwtClaims.isDefined(ProofOfPossession.CNF)) {
              sharedState.put("org.forgerock.openam.authentication.modules.jwtpop.cnf",
                      jwtClaims.get(ProofOfPossession.CNF));
          }
      
          return ISAuthConstants.LOGIN_SUCCEED;
      }
      

        Attachments

          Activity

            People

            • Assignee:
              kamal.sivanandam@forgerock.com Kamal Sivanandam
              Reporter:
              bthalmayr Bernhard Thalmayr
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: