Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15487

OIDC - JWT Request Parameter returns errors in query, not in the fragment with invalid acr essential claim

    Details

    • Sprint:
      AM Sustaining Sprint 67, AM Sustaining Sprint 68
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Same case with OPENAM-15012. When an invalid essential claim acr is used as part of the request JWT, the error returns in the query instead of in a fragment.

      How to reproduce the issue

      1. Configure default OIDC Provider
      2. Enable "claims_parameter_supported" in Advanced OIDC
      3. Configure OIDC client with HS256 as "Request parameter signing algorithm" and redirect URI "http://test.com"
      4. Create a JWT signed with the client secret using online tools (e.g jwt.io) / use the below sample: 
        eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJteUNsaWVudElEIiwiaWF0IjoxNTU5MjEzMjMwLCJleHAiOjE1Njk1MDA5NTgsImF1ZCI6Imh0dHA6Ly9vcGVuYW0uZXhhbXBsZS5jb206MzgwODAvb3BlbmFtL29hdXRoMiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwic3RhdGUiOiJWaW5YQXF1UFliIiwibm9uY2UiOiJSbmNURG44bDEwIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSIsImNsaWVudF9pZCI6Im15Q2xpZW50SUQiLCJjbGFpbXMiOnsiaWRfdG9rZW4iOnsiYWNyIjp7InZhbHVlIjoidGVzdHkiLCJlc3NlbnRpYWwiOnRydWV9fX0sImp0aSI6ImYzZDg0ZTQ4LTY1MzEtNDBkNi04Y2JhLTIyNzJmMGI4OGQ0MyJ9.aXD2kF8BShWWMZRt2b6sHYuGYznIUIx60DuUVCM0K7o

        which decodes to

        {
          "iss": "myClientID",
          "iat": 1559213230,
          "exp": 1590749546,
          "aud": "http://openam.example.com:38080/openam/oauth2",
          "response_type": "code id_token",
          "state": "VinXAquPYb",
          "nonce": "RncTDn8l10",
          "scope": "openid profile",
          "client_id": "myClientID",
          "claims": {
            "id_token": {
              "acr": {
                "value": "testy",
                "essential": true
              }
              }
            }
        }
        

        note the acr doesn't exist in OAuth2 Provider settings.

      5. Send the JWT as part of the authorize request
        curl -X GET \
          'http://openam.example.com:38080/openam/oauth2/authorize?request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJteUNsaWVudElEIiwiaWF0IjoxNTU5MjEzMjMwLCJleHAiOjE1Njk1MDA5NTgsImF1ZCI6Imh0dHA6Ly9vcGVuYW0uZXhhbXBsZS5jb206MzgwODAvb3BlbmFtL29hdXRoMiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwic3RhdGUiOiJWaW5YQXF1UFliIiwibm9uY2UiOiJSbmNURG44bDEwIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSIsImNsaWVudF9pZCI6Im15Q2xpZW50SUQiLCJjbGFpbXMiOnsiaWRfdG9rZW4iOnsiYWNyIjp7InZhbHVlIjoidGVzdHkiLCJlc3NlbnRpYWwiOnRydWV9fX0sImp0aSI6ImYzZDg0ZTQ4LTY1MzEtNDBkNi04Y2JhLTIyNzJmMGI4OGQ0MyJ9.aXD2kF8BShWWMZRt2b6sHYuGYznIUIx60DuUVCM0K7o&client_id=myClientID&redirect_uri=http://test.com&scope=openid%20profile&response_type=code%20id_token' \
          -H 'Accept: */*' \
          -H 'Accept-Encoding: gzip, deflate' \
          -H 'Connection: keep-alive' \
          -H 'Content-Type: application/x-www-form-urlencoded' \
          -H 'Cookie: iPlanetDirectoryPro=9H-z-lWcF__wlN8etE63Kw7-cSQ.*AAJTSQACMDEAAlNLABxvYkVwRDFsbGpqWEozU3BDVThpdW1tbjV5cjg9AAR0eXBlAANDVFMAAlMxAAA.*,iPlanetDirectoryPro=9H-z-lWcF__wlN8etE63Kw7-cSQ.*AAJTSQACMDEAAlNLABxvYkVwRDFsbGpqWEozU3BDVThpdW1tbjV5cjg9AAR0eXBlAANDVFMAAlMxAAA.*; amlbcookie=01; iPlanetDirectoryPro=9H-z-lWcF__wlN8etE63Kw7-cSQ.*AAJTSQACMDEAAlNLABxvYkVwRDFsbGpqWEozU3BDVThpdW1tbjV5cjg9AAR0eXBlAANDVFMAAlMxAAA.*' \
          -H 'Host: openam.example.com:38080' \
          -H 'User-Agent: PostmanRuntime/7.16.3'
        
        Location →[http://test.com?error_description=Invalid%20acr%20values%3A%20%5Btesty%5D&state=VinXAquPYb&error=invalid_request]
        

        Same is happening when acr is passed as a query parameter (i.e no request JWT).

        http://test.com?error_description=Invalid%20acr%20values%3A%20%5Btest%5D&error=invalid_request
        

        Voluntary acr results to an HTTP 200 OK with code and id_token.

      Expected behaviour
      Error to be returned in fragment
      
      Current behaviour
      Error is returning in query
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                anastasios.kampas Tasos Kampas
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: