Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15494

AM expects nonce request parameter in authorize request when no id_token will be returned

    Details

    • Sprint:
      AM Sustaining Sprint 68
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When making a request to the authorize endpoint with a response_type of none (and no id_token_hint), AM returns an error saying "Missing required parameter nonce from request" which doesn't make sense as an id_token will not be returned hence no nonce value to compare with.

      Also, it is not clear what Response Type Plugin should be configured on the OAuth2 Provider (this might be the real issue here).

      How to reproduce the issue

      1. Create OAuth2 Provider service
      2. Add none to Response Type Plugin - map none|org.forgerock.openidconnect.IdTokenResponseTypeHandler
      3. http://openam.example.com:8088/openam/oauth2/realms/root/authorize?client_id=myOAuth2Client&scope=openid&prompt=none&redirect_uri=http://www.example.com&state=1234&response_type=none
      Expected behaviour
      When supplied as the response_type parameter in an OAuth 2.0 Authorization Request, the Authorization Server SHOULD NOT return an OAuth 2.0 Authorization Code, Access Token, Access Token Type, or ID Token in a successful response to the grant request. If a redirect_uri is supplied, the User Agent SHOULD be redirected there after granting or denying access. See https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#none
      Current behaviour
      Missing required parameter nonce from request
      

       

      Code analysis

      org/forgerock/openidconnect/OpenIdConnectAuthorizeRequestValidator.java
      // Maybe some other checks here against a response_type of none
      if (!requestedScopes.contains(OPENID) && responseTypes.contains(ID_TOKEN)) {
          throw new InvalidRequestException("Missing expected scope=openid from request",
                  Utils.isOpenIdConnectFragmentErrorType(responseTypes) ? FRAGMENT : QUERY);
      } else if (requestedScopes.contains(OPENID)) {
          validateNonce(request, responseTypes);
      }
      

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              aaron.haskins Aaron Haskins
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: