Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15785

OIDC spec violation - HTTP POST can not be used to send Authentication Request

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 14.1.1.1, 14.1.1.2, 14.1.1.3, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 14.1.1.4, 6.0.0.5, 14.1.1.5, 14.1.2.2, 6.5.0, 6.0.0.6, 6.5.0.1, 6.0.0.7, 14.1.2.3, 6.5.1, 6.5.0.2, 14.1.2.4, 6.5.2, 6.5.2.1, 6.5.2.2, 14.1.2.5, 14.1.2.11
    • Fix Version/s: 7.0.0
    • Component/s: OpenID Connect
    • Target Version/s:
    • Rank:
      1|hzvzdz:
    • Sprint:
      AM Sustaining Sprint 70, AM Sustaining Sprint 71, AM Sustaining Sprint 72
    • Story Points:
      5
    • Support Ticket IDs:

      Description

      Bug description

      OIDC Authorization Code flow fails if Authentication Request is sent via HTTP POST request

      How to reproduce the issue

      1. Configure AM as OIDC provider
      2. Configure some OAuth2 client
      3. Perform OIDC Authorization Code flow, send Authentication request via HTTP POST
      Expected behaviour
      OIDC provider should authenticate the user
      
      Current behaviour
      OIDC provider sends error response 'error_description=Failed to get resource owner session from request&error=invalid_request' to OIDC client.
      
      Excerpt from OIDC specification

      https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

      Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 2616 [RFC2616] at the Authorization Endpoint.

      excerpt from AM 6.5.2.2 OAuth2Provider debug log
      OAuth2Provider:12/17/2019 01:28:21:482 PM CET: Thread[http-nio-8080-exec-1,5,main]: TransactionId[45dd1371-5583-4eba-81a3-17203bb69ebb-1555]
      WARNING: Error authenticating user against OpenAM:
      com.iplanet.sso.SSOException: SessionID is empty
      	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:147)
      	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:160)
      	at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:303)
      	at org.forgerock.oauth2.core.ResourceOwnerSessionValidator.getResourceOwnerSession(ResourceOwnerSessionValidator.java:455)
      	at org.forgerock.oauth2.core.CsrfProtection.isCsrfAttack(CsrfProtection.java:51)
      	at org.forgerock.oauth2.core.AuthorizationService.handlePostRequest(AuthorizationService.java:410)
      	at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:260)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:508)
      	at org.restlet.resource.ServerResource.post(ServerResource.java:1341)
      	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:606)
      	at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:662)
      	at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
      	at org.restlet.resource.ServerResource.handle(ServerResource.java:1020)
      	at org.restlet.resource.Finder.handle(Finder.java:236)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
      	at org.restlet.routing.Router.handle(Router.java:641)
      	at org.forgerock.openam.rest.service.RestletRealmRouter$Delegate.handle(RestletRealmRouter.java:163)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
      	at org.restlet.routing.Router.handle(Router.java:641)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      	at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:77)
      	at org.restlet.Application.handle(Application.java:385)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.restlet.routing.Router.handle(Router.java:641)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.restlet.routing.Router.handle(Router.java:641)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      	at org.restlet.Component.handle(Component.java:408)
      	at org.restlet.Server.handle(Server.java:507)
      	at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
      	at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
      	at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
      	at org.forgerock.openam.rest.RestEndpointServlet$RestletHandler.handle(RestEndpointServlet.java:183)
      	at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
      	at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:87)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:264)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      	at org.forgerock.openam.rest.RestEndpointServlet$HttpServletWrapper.service(RestEndpointServlet.java:254)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      	at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:132)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:412)
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1385)
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: com.iplanet.dpro.session.SessionException: SessionID is empty
      	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:134)
      	... 106 more
      OAuth2Provider:12/17/2019 01:28:21:483 PM CET: Thread[http-nio-8080-exec-1,5,main]: TransactionId[45dd1371-5583-4eba-81a3-17203bb69ebb-1555]
      WARNING: Error authenticating user against OpenAM:
      com.iplanet.sso.SSOException: SessionID is empty
      	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:147)
      	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:228)
      	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:211)
      	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:241)
      	at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:376)
      	at org.forgerock.oauth2.core.ResourceOwnerSessionValidator.getResourceOwnerSession(ResourceOwnerSessionValidator.java:461)
      	at org.forgerock.oauth2.core.CsrfProtection.isCsrfAttack(CsrfProtection.java:51)
      	at org.forgerock.oauth2.core.AuthorizationService.handlePostRequest(AuthorizationService.java:410)
      	at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:260)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:508)
      	at org.restlet.resource.ServerResource.post(ServerResource.java:1341)
      	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:606)
      	at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:662)
      	at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
      	at org.restlet.resource.ServerResource.handle(ServerResource.java:1020)
      	at org.restlet.resource.Finder.handle(Finder.java:236)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
      	at org.restlet.routing.Router.handle(Router.java:641)
      	at org.forgerock.openam.rest.service.RestletRealmRouter$Delegate.handle(RestletRealmRouter.java:163)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
      	at org.restlet.routing.Router.handle(Router.java:641)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      	at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:77)
      	at org.restlet.Application.handle(Application.java:385)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.restlet.routing.Router.handle(Router.java:641)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.restlet.routing.Router.handle(Router.java:641)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      	at org.restlet.Component.handle(Component.java:408)
      	at org.restlet.Server.handle(Server.java:507)
      	at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
      	at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
      	at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
      	at org.forgerock.openam.rest.RestEndpointServlet$RestletHandler.handle(RestEndpointServlet.java:183)
      	at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
      	at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:87)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)
      	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
      	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:264)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      	at org.forgerock.openam.rest.RestEndpointServlet$HttpServletWrapper.service(RestEndpointServlet.java:254)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      	at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:132)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
      	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
      	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:412)
      	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
      	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
      	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1385)
      	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: com.iplanet.dpro.session.SessionException: SessionID is empty
      	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:134)
      	... 108 more
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                isaac.taylor Isaac Taylor
                Reporter:
                bthalmayr Bernhard Thalmayr
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: