Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15116

Auth ID jwt can be modified to determine whether a realm exists or not

    Details

    • Sprint:
      AM Sustaining Sprint 64, AM Sustaining Sprint 65
    • Story Points:
      2
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      The Auth ID JWT can be modified to determine whether a realm exists or not. If the realm is changed in the authId it is possible to attempt to lookup a key from the realm provided in the JWT, which will result in a NPE if the realm does not exist on the server configuration. This is then returned as a 500 instead of a 400, leading to discovery of all configured realms on the server.

      How to reproduce the issue

      1. perform a post on the ldapService
      2. modify the authID jwt that comes back and change the realm in the jwt to either a realm that exists or one that does not.
      3. This will result in either a 400 if the realm exists or a 500 if the realm does not.
      Expected behaviour
      consistant error message
      
      Current behaviour
      returning 500 error

        Attachments

          Activity

            People

            • Assignee:
              kamal.sivanandam@forgerock.com Kamal Sivanandam
              Reporter:
              tom.white Tom White
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: