Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15012

OIDC - JWT Request Parameter returns errors in query, not in the fragment

    Details

    • Sprint:
      AM Sustaining Sprint 65, AM Sustaining Sprint 66
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Errors currently return in a query parameter, however, according to the spec they should return in a fragment:
      https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations

      7.  Security Considerations
      
      There are security implications to encoding response values in the query string. The HTTP Referer header includes query parameters, and so any values encoded in query parameters will leak to third parties. Thus, while it is safe to encode an Authorization Code as a query parameter when using a Confidential Client (because it can't be used without the Client Secret, which third parties won't have), more sensitive information such as Access Tokens and ID Tokens MUST NOT be encoded in the query string. In no case should a set of Authorization Response parameters whose default Response Mode is the fragment encoding be encoded using the query encoding. 
      

      How to reproduce the issue

      1. Configure default OIDC Provider
      2. Configure OIDC client with HS256 as "Request parameter signing algorithm" and redirect URI "http://test.com/callback"
      3. Create a JWT signed with the client secret using online tools (e.g jwt.io) or use below sample: 
        eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteUNsaWVudElEIiwiaWF0IjoxNTU5MjEzMjMwLCJleHAiOjE1NTkyMTQ0MjMsImF1ZCI6Imh0dHA6Ly9vcGVuYW0uZXhhbXBsZS5jb206MTgwODAvb3BlbmFtL29hdXRoMiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwic3RhdGUiOiJWaW5YQXF1UFliIiwibm9uY2UiOiJSbmNURG44bDEwIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSIsImNsaWVudF9pZCI6Im15Q2xpZW50SUQifQ.FgSGm1GSikb_OM358Ob7ShUO_h8qoM3CRfC6EynjbwY
      4. Send the JWT as part of the authorize request. 302 response includes the code in the fragment
        curl -v -X GET \
          'http://openam.example.com:18080/openam/oauth2/authorize?request=<sample JWT from above step>&client_id=myClientID&redirect_uri=http://test.com/callback&scope=openid%20profile&response_type=code%20id_token%20' \
          -H 'Cookie: amlbcookie=01; iPlanetDirectoryPro=<SSOToken of resource owner>' 
        
        Location →[http://test.com?error_description=JWT%20invalid.%20Expiration%20time%20incorrect.&state=VinXAquPYb&error=invalid_request_object|http://test.com/?error_description=JWT%20invalid.%20Expiration%20time%20incorrect.&state=VinXAquPYb&error=invalid_request_object]
        
      1. Or Send invalid response type
        curl -v -X POST \
          http://openam.example.com:18080/opensso/oauth2/authorize \
          -H 'Content-Type: application/x-www-form-urlencoded' \
          -H 'Cookie: iPlanetDirectoryPro=<SSOToken of resource owner>; amlbcookie=01; iPlanetDirectoryPro=<SSOToken of resource owner>' \
          -d 'client_id=myClientID&csrf=<SSOToken of resource owner>&decision=allow&redirect_uri=http%3A%2F%2Ftest.com/callback&response_type=code23&scope=profile%20openid&state=af0ifjsldkj&save_consent=on'
         
      1. Similar request but using query parameters instead of in a JWT, the error returns in a fragment:
        http://test.com#error_description=Missing%20required%20parameter%20nonce%20from%20request&state=af0ifjsldkj&error=invalid_request
        
      Expected behaviour
      Error should return in a fragment
      
      Current behaviour
      Error returns in a query parameter
      

      Workaround

      Use IG to modify the responses

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                anastasios.kampas Tasos Kampas
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: