Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15145

OpenAM Scope Validator calls getUserInfo twice when creating IdToken


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0,,,,,,, 6.5.0,, 6.5.1,, 6.5.2,
    • Fix Version/s: 6.0.1, 6.5.3, 7.0.0,
    • Component/s: oauth2, OpenID Connect
    • Labels:
    • Environment:
      This does not happen in 13.5.x and is seen when auditing was done on a custom scope validator getUserInfo.
    • Needs backport:
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug/RFE description

      It would seems when creating IdToken with claims the ScopeValidator getUserInfo is called twice when the idtoken is create (with AlwaysAddClaims option) and later with the idtoken appendIdTokenClaims is called getUserInfoAgent

      The problem here is that for Custom Scope Validators that may have extended getUserInfo this wil be called twice and if they are expensive it may cause extra unneeded work. The issue is more to do when there is custom Scope validator being in used and hence it imposed conditions to these enduser Validators (like the method must be idempotent)

      How to reproduce the issue

      1. Perform an OIDC flow with OAuthProvider service set to have AlwaysAddClaims option
      2. The OIDC flow can be a Authorize Code flow with scope profile%20openid
      3. You can also if needed check on the calls to getUserInfo (thru a custom Scope validator or a breakpoint)
      Expected behaviour
      Reduce call to getUserInfo to needed
      Current behaviour
      getUserInfo called twice (or more) throughout OIDC flow journey. The AlwaysAddClaims add one more call to this

      Work around

      This may not be a problem although it may be called more than one but if one is auditing getUserInfo, one may notice this being called back to back when doing createOpenIDToken call.

      Code analysis

      createOpenIDToken(...) {
          // When isAlwaysAddClaimsToken is set it calls getUserInfo()
         // However other later calls should not call and user what already has




            • Assignee:
              chee-weng.chea C-Weng C
              chee-weng.chea C-Weng C
            • Votes:
              1 Vote for this issue
              8 Start watching this issue


              • Created: