Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15425

OIDC endsession - encrypted id_tokens are not supported

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0, 6.5.2.1
    • Fix Version/s: 6.5.3, 7.0.0
    • Component/s: oauth2, OpenID Connect
    • Labels:
    • Sprint:
      AM Sustaining Sprint 67, AM Sustaining Sprint 68, AM Sustaining Sprint 69
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Passing encrypted ID tokens to the endession endpoint results in an error as it expects a SignedJwt. This is similar to the auth module's limitation OPENAM-12462

      How to reproduce the issue

      1. Create an OIDC Provider
      2. Create an OIDC client with the openid scope
        1. Enable ID token encryption at the client
      3. Start an Auth Code flow and get an encrypted ID token
      4. Call the /endession endpoint:
        http://openam.example.com:18080/openamoauth2/connect/endSession?id_token_hint=\{{idToken}}
         {
         "error_description": "Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request",
         "error": "server_error"
        }
        

      Error in OAuth2Provider log:

      Caused by: java.lang.ClassCastException: Cannot cast org.forgerock.json.jose.jwe.SignedThenEncryptedJwt to org.forgerock.json.jose.jws.SignedJwt
      	at java.lang.Class.cast(Class.java:3369)
      	at org.forgerock.json.jose.common.JwtReconstruction.reconstructJwt(JwtReconstruction.java:101)
      	at org.forgerock.oauth2.core.OAuth2Jwt.create(OAuth2Jwt.java:69)
      	at org.forgerock.openidconnect.restlet.EndSession.endSession(EndSession.java:94)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:511)
      
      Expected behaviour
      Encrypted tokens to be supported
      Current behaviour
      Encrypted tokens are not supported  
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                anastasios.kampas Tasos Kampas
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: