Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14930

OAuth2 introspect fails with could not find any verification keys for keyId

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.1, 6.5.2
    • Fix Version/s: 6.5.3
    • Component/s: oauth2
    • Labels:
    • Target Version/s:
    • Rank:
      1|hzy9cn:
    • Sprint:
      AM Sustaining Sprint 63, AM Sustaining Sprint 72
    • Story Points:
      5
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When testing introspect endpoint with a customer provided token for backport of OPENAM-14766 for 6.5.x, the response received is 

      {"error_description":"Could not find any verification keys for keyId: xvqosiRDB0mK7Xa2lyLzT0Zr3-Q","error":"server_error"}

      How to reproduce the issue

      1. Deploy AM, 6.5.x, and configure embedded config and user store
      1. In top level realm, configured OAuth2 provider (OIDC)
      1. Create an oauth2 client, testoauth, password secret, scopes profile and openid and redirect uri of http://web.amtest2.com:90/test1/index.html
      1. Call the introspect endpoint with token, e.g.: curl -k --request POST --user "testoauth:secret" "https://openam.amtest2.com:8443/access/oauth2/introspect?token=<token>
      Expected behaviour
      200 response with {"active":false} content.
      
      Current behaviour
      {"error_description":"Could not find any verification keys for keyId: xvq...-Q","error":"server_error"}
      

      Work around

      None

      Code analysis

      OAuth2JwtTokenHelper.$hasValidSignature
      verificationHandlers obtained in this function is empty for 6.5.x.  In 7.0.0 snapshot this is not empty and processing is able to continue.  There looks to be some difference in how the secrets are retrieved, not sure if this is something to do with the store containing the key being a default here and the code looks to be attempting to read the realm stores in 6.5.x (for which there are none).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              lawrence.yarham Lawrence Yarham
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: