Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15628

Grant-Set Storage Scheme for CTS does not work with CIBA Flow

    XMLWordPrintable

    Details

    • Sprint:
      AM Sustaining Sprint 69
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      The CIBA flow fails to return "/access_token" from "auth_req_id" when OAuth2 Provider's CTS Storage Scheme is set to Grant-Set. The error is shown as a 500 response in REST API with an error message of "missing ClientID from request" in debug logs.

      How to reproduce the issue

      Follow “https://backstage.forgerock.com/docs/am/6.5/oidc1-guide/index.html#proc-prepare-for-ciba

      1. Add OIDC Service and Client
      2. Add “Back Channel Request” Grant Type support to both Client and Service
      3. Add Public KeySet to “Json Web Key” of Client
      4. Configure some happy-path authentication and map to an ACR value for ciba under OAuth2 service.
      5. Make sure the flow works by testing /bc-authorize and /access_token calls.
      6. Navigate to "Configure" > "Global Service" > "OAuth2 Provider" and under "Global Attributes" tab, change "CTS Storage Scheme" to "Grant-Set Storage".
      7. Test the CIBA flow again and observe the error in response to "/access_token" call
      Expected behaviour

      200 response with access_token,... in the body

      Current behaviour

      500 response

      {
          "error_description": "Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request",
          "error": "server_error"
      }
      

      Exception seen on OAuthProvider logs:

      Caused by: java.lang.IllegalStateException: Missing ClientID from request
              at org.forgerock.openam.oauth2.token.grantset.AbstractGrantSetTokenStore.lambda$fetchFromContext$0(AbstractGrantSetTokenStore.java:228)
              at java.util.Optional.orElseThrow(Optional.java:290)
              at org.forgerock.openam.oauth2.token.grantset.AbstractGrantSetTokenStore.fetchFromContext(AbstractGrantSetTokenStore.java:228) 
              at org.forgerock.openam.oauth2.token.grantset.AbstractGrantSetTokenStore.getGrantSet(AbstractGrantSetTokenStore.java:216)
              at org.forgerock.openam.oauth2.token.grantset.AbstractGrantSetTokenStore.createGrant(AbstractGrantSetTokenStore.java:432)
              at org.forgerock.openam.oauth2.token.OpenAMTokenStore.createGrant(OpenAMTokenStore.java:208)
              at org.forgerock.oauth2.core.BackChannelGrantTypeHandler.createToken(BackChannelGrantTypeHandler.java:89)
              at org.forgerock.oauth2.core.BackChannelGrantTypeHandler.handle(BackChannelGrantTypeHandler.java:78)
              at org.forgerock.oauth2.core.GrantTypeHandler.handle(GrantTypeHandler.java:76)
              at org.forgerock.oauth2.core.AccessTokenService.requestAccessToken(AccessTokenService.java:138)
              at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:77)
      

      Somehow AbstractGrantSetTokenStore.fetchFromContext does not have clientID where it is know that BackChannelGrantTypeHandler knows the client ID but BackChannelGrantTypeHandler probably not setContextFor to setup the clientID, RESOURCE_OWNER and NEW_GRANT_SET

      Work around

      Switch back to "deprecated" One-to-One Storage which is not recommended any more.

        Attachments

          Activity

            People

            Assignee:
            chee-weng.chea C-Weng C
            Reporter:
            hahmadi hadi hahmadi
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: