Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15164

CDSSO with "ignore profile" throws "No OpenID Connect provider"

    Details

    • Sprint:
      AM Sustaining Sprint 64, AM Sustaining Sprint 65
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      This is variation of OPENAM-12075
      It's not possible to get an OIDC token when user profile is set to "ignore" and when user datastore is valid.

      How to reproduce the issue

      1. Setup OpenDJ instance which has users that doesn't overlap with AM's user datastore
      2. Create subrealm
      3. Configure an LDAP authentication module and use OpenDJ instance seutp in above step
      4. Set the realm's user profile setting to 'ignore'
      5. Set up OpenIG or PA
      6. Configure CDSSO (make sure OAuth2Provider service is not registered under the same realm)
        https://backstage.forgerock.com/docs/am/6.5/authentication-guide/#sec-cdsso
      7. Start CDSSO with browser
      Expected behaviour
      CDSSO should succeed
      
      Current behaviour
      Error "No OpenID Connect provider for realm /testrealm001" is displayed.
      

      Work around

      remove user datastore under the realm(OPENAM-12075) or add OAuth2Provider

      Code analysis

      OPENAM-12075 checks if realm is configured to ignore profile in OpenAMScopeValidator.getUsersIdentity(). This check should be done at the beginning of method.

      org.forgerock.openam.oauth2.OpenAMScopeValidator.java
          private AMIdentity getUsersIdentity(String resourceOwnerId, String realm, OAuth2Request request)
                  throws SSOException, UnauthorizedClientException {
              try {
                  return identityManager.getResourceOwnerOrClientIdentity(request, resourceOwnerId, realm);
              } catch (NoUserExistsException e) {
                  logger.message("No user exists for {} in realm {}", resourceOwnerId, realm);
                  if (identityManager.isIgnoredProfile(realm)) {
                      logger.message("User profile set to ignore, 'no user' result is valid.");
                      return null;
                  }
      
                  throw e;
              }
          }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                sachiko Sachiko Wallace
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: