Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14951

OAuth2 provider does not validate RCS clients in an external application store



    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 6.5.1
    • Fix Version/s:, 7.0.0, 6.5.3
    • Component/s: None
    • Environment:
    • Rank:
    • Sprint:
      AM Sustaining Sprint 69, AM Sustaining Sprint 70
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      When an external application store is used in a realm, the OAuth2 provider in that realm cannot verify the existence of RCS clients in the external store.  Applies in the UI and when configuring with amster. 

      This effectively breaks the setup of the OAuth2 provider making our deployment pipelines fail.

      Note, this seemed to start happening as soon as we moved from 6.5.0 to 6.5.1.

      How to reproduce the issue

      1. Set up an RCS client in a realm called `rcs-config-store`
      2. Set up an OAuth2 provider in the realm
      3. Navigate to the consent tab of the OAuth2 provider and click the remote consent service ID dropdown. The `rcs-config-store` client is visible. 
      4. Set up an external application store in the realm
      5. Navigate to the RCS clients page, note the rcs-config-store client is gone.
      6. Create a new client called `rcs-app-store`
      7. go back to the remote consent service ID dropdown on the OAuth2 provider. The rcs-config-store client is visible, not the rcs-app-store client.

      When trying to configure with amster, this results in the following error:

      Failed to import OAuth2Provider.json  : 400 Bad Request: Data validation failed for the attribute, Remote Consent Service ID 
      Expected behaviour

      Amster configuration succeeds. The correct RCS clients are in the RCS dropdown on the OAuth2 provider when an external application store is used.

      Current behaviour

      Amster configuration errors. The wrong RCS clients are in the dropdown.

      Work around

      Use a multi stage amster install and configure the RCS client before the OAuth2 provider in the realm, but after the realm is created. This has the downside of not being able to see the RCS client in the console, but in a gitops world, that doesn't matter much to us.


          Issue Links



              chee-weng.chea C-Weng C
              simon.harding Simon Harding
              0 Vote for this issue
              6 Start watching this issue