Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15012

OIDC - JWT Request Parameter returns errors in query, not in the fragment


    • Sprint:
      AM Sustaining Sprint 65, AM Sustaining Sprint 66
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      Errors currently return in a query parameter, however, according to the spec they should return in a fragment:

      7.  Security Considerations
      There are security implications to encoding response values in the query string. The HTTP Referer header includes query parameters, and so any values encoded in query parameters will leak to third parties. Thus, while it is safe to encode an Authorization Code as a query parameter when using a Confidential Client (because it can't be used without the Client Secret, which third parties won't have), more sensitive information such as Access Tokens and ID Tokens MUST NOT be encoded in the query string. In no case should a set of Authorization Response parameters whose default Response Mode is the fragment encoding be encoded using the query encoding. 

      How to reproduce the issue

      1. Configure default OIDC Provider
      2. Configure OIDC client with HS256 as "Request parameter signing algorithm" and redirect URI "http://test.com/callback"
      3. Create a JWT signed with the client secret using online tools (e.g jwt.io) or use below sample: 
      4. Send the JWT as part of the authorize request. 302 response includes the code in the fragment
        curl -v -X GET \
          'http://openam.example.com:18080/openam/oauth2/authorize?request=<sample JWT from above step>&client_id=myClientID&redirect_uri=http://test.com/callback&scope=openid%20profile&response_type=code%20id_token%20' \
          -H 'Cookie: amlbcookie=01; iPlanetDirectoryPro=<SSOToken of resource owner>' 
        Location →[http://test.com?error_description=JWT%20invalid.%20Expiration%20time%20incorrect.&state=VinXAquPYb&error=invalid_request_object|http://test.com/?error_description=JWT%20invalid.%20Expiration%20time%20incorrect.&state=VinXAquPYb&error=invalid_request_object]
      1. Or Send invalid response type
        curl -v -X POST \
          http://openam.example.com:18080/opensso/oauth2/authorize \
          -H 'Content-Type: application/x-www-form-urlencoded' \
          -H 'Cookie: iPlanetDirectoryPro=<SSOToken of resource owner>; amlbcookie=01; iPlanetDirectoryPro=<SSOToken of resource owner>' \
          -d 'client_id=myClientID&csrf=<SSOToken of resource owner>&decision=allow&redirect_uri=http%3A%2F%2Ftest.com/callback&response_type=code23&scope=profile%20openid&state=af0ifjsldkj&save_consent=on'
      1. Similar request but using query parameters instead of in a JWT, the error returns in a fragment:
      Expected behaviour
      Error should return in a fragment
      Current behaviour
      Error returns in a query parameter


      Use IG to modify the responses


          Issue Links



              • Assignee:
                sachiko Sachiko Wallace
                anastasios.kampas Tasos Kampas
              • Votes:
                0 Vote for this issue
                5 Start watching this issue


                • Created: