Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15461

OAuth2 Nodes Fail when called from Inner Tree Evaluator

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 6.5.2.1
    • Fix Version/s: None
    • Component/s: trees
    • Labels:
    • Sprint:
      AM Sustaining Sprint 67, AM Sustaining Sprint 68, AM Sustaining Sprint 69
    • Story Points:
      3

      Description

      Bug description

      When calling any Social OAuth2 node from an Inner Tree Evaluator Node, the Social Node fails after returning from the IdP because the state parameter cannot be found in sharedState.

      How to reproduce the issue

      1. Create an Auth Tree with any of the Social Nodes.
      2. Create another tree that calls the Auth Tree you created in Step 1 via Inner Tree evaluator
      3. Fail Authentication
      Expected behaviour
      Successfully Authenticate and log into AM
      Current behaviour
      Fail Authentication

      Work around

      No workaround that I could find.

      Code analysis

       

      org.forgerock.oauth.clients.oauth2$OAuth2Client.java
      In the #handlePostAuth method, on line 272, AM pulls the initial state parameter from sharedState to validate that the state parameter sent in the query parameters after the redirect matches.
      
      When a tree is called directly (without inner tree evaluation), at this point in the code the sharedState looks like: { "realm": "/", "authLevel": 0, "provider": "google", "state": "kwre7ecnkomf9bb4wfjxvdj5brgt21c", "data": null, "landingPage": null, "code_verifier": "6yER_rYF9RsgZSE5S6LtVxKL1IZYGMdN55FZHOZd0hQ" }
      
      When a tree is called from an inner tree evaluator, at this point in the code the sharedState looks like: { "sharedState": { "realm": "/", "authLevel": 0, "provider": "google", "state": "q3stdp0samdgichdnnj4c4qt7fe1ngy", "data": null, "landingPage": null, "code_verifier": "jD5lBWWt0ePy0hW4qtmEKUTvcu_LhoZEQWooZa8sFEc" }, "currentNodeId": "5874fef3-d349-4e4f-96dd-a7f58c1e88e1", "sessionProperties": {  }, "sessionHooks": [  ], "webhooks": [  ] }
      
      Because the state parameter gets nested, the OAuth2Client cannot find it.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sachiko Sachiko Wallace
              Reporter:
              Frank.Gasparovic Frank Gasparovic
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: