Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15778

Amster query session command filter seems to override realm parameter

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: Amster
    • Labels:
      None

      Description

      Bug description

      Performing e.g. query Sessions --realm subscribers --filter 'realm eq "/"' returns a set of sessions from the top level realm only, i.e. the filter looks to have overridden the realm parameter.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Single server setup, embedded config and user store.
      2. Installed amster.
      3. Using XUI and admin login, created sub-realm, subscribers.
      4. Created an OAuth/OIDC Provider.  On Core page can set to either use client based access and refresh tokens or have this disabled.
      5. Create OAuth2 client in the sub-realm, testoauth, secret of secret, scope of profile and openid, redirect url http://web.amtest2.com:80/test1/index.html.  ON Advanced page set client authentication method to be client_secret_post.
      6. Using browser, requested: https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/subscribers/authorize?response_type=code&scope=profile&client_id=testoauth&redirect_uri=http://web.amtest2.com:80/test1/index.html.
      7. Logged in as user demo and provided consent.  Copied code value from redirect url code param.
      8. curl -k --request POST --data "client_id=testoauth" --data "client_secret=secret" --data "grant_type=authorization_code" --data "response_type=token" --data "code=<code from above>" "https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/subscribers/access_token" --data "redirect_uri=http://web.amtest2.com:80/test1/index.html"
      9. Repeated the above two steps, but with the OAuth2Provider set to not use client based access and refresh tokens.
      10. Using amster, connected using: connect --interactive http://openam.amtest2.com:8080/access, logged in as amadmin.
      11. Then performed: query Sessions --realm subscribers --filter 'realm eq "/"' . 
      Expected behaviour
      No sessions should be returned because of the conflicting realm and query filter.
      Current behaviour
      Sessions from top level realm only are returned.
      
      Note: Using a filter or realm eq /subscribers here will cause issue OPENAM-15687 to be encountered.

      Work around

      Make sure that the realm in the filter and realm parameter are consistent

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                lawrence.yarham Lawrence Yarham
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: