Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15145

OpenAM Scope Validator calls getUserInfo twice when creating IdToken

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6, 6.5.0, 6.5.0.1, 6.5.1, 6.5.0.2, 6.5.2, 6.0.0.7
    • Fix Version/s: 6.0.1, 6.5.3, 7.0.0, 6.5.2.2
    • Component/s: oauth2, OpenID Connect
    • Labels:
    • Environment:
      This does not happen in 13.5.x and is seen when auditing was done on a custom scope validator getUserInfo.
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug/RFE description

      It would seems when creating IdToken with claims the ScopeValidator getUserInfo is called twice when the idtoken is create (with AlwaysAddClaims option) and later with the idtoken appendIdTokenClaims is called getUserInfoAgent

      The problem here is that for Custom Scope Validators that may have extended getUserInfo this wil be called twice and if they are expensive it may cause extra unneeded work. The issue is more to do when there is custom Scope validator being in used and hence it imposed conditions to these enduser Validators (like the method must be idempotent)

      How to reproduce the issue

      1. Perform an OIDC flow with OAuthProvider service set to have AlwaysAddClaims option
      2. The OIDC flow can be a Authorize Code flow with scope profile%20openid
      3. You can also if needed check on the calls to getUserInfo (thru a custom Scope validator or a breakpoint)
      Expected behaviour
      Reduce call to getUserInfo to needed
      
      Current behaviour
      getUserInfo called twice (or more) throughout OIDC flow journey. The AlwaysAddClaims add one more call to this
      

      Work around

      This may not be a problem although it may be called more than one but if one is auditing getUserInfo, one may notice this being called back to back when doing createOpenIDToken call.

      Code analysis

      OpenIdConnectTokenStore.java
      createOpenIDToken(...) {
      
          // When isAlwaysAddClaimsToken is set it calls getUserInfo()
         // However other later calls should not call and user what already has
      
      }
      

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: