Bug description
The /json/users endpoint no longer produces useful information. The fields in its output are needed by the Agents to fulfill profile attribute requests. Traditionally when providing an Agent based SSO token, the agent has all properties whitelisted. In fact, I vaguely recall adding that code in AM.
How to reproduce the issue
Basically, run this curl substituting an Agent SSO token as appropriate (or alternatively, an SSO token for the user "demo"):
curl -X GET \
--header 'Content-Type: application/json' \
--header 'Accept-API-Version: protocol=1.0,resource=1.0' \
--cookie 'iPlanetDirectoryPro=<Agent sso SSO token>' \
http://openam.example.com:8080/openam/json/realms/root/users/demo
Expected behaviour
For AM 6.5.* the following output results:
{
"username": "demo",
"realm": "/",
"uid": [
"demo"
],
"universalid": [
"id=demo,ou=user,dc=openam,dc=forgerock,dc=org"
],
"objectClass": [
"iplanet-am-managed-person",
"inetuser",
"sunFederationManagerDataStore",
"sunFMSAML2NameIdentifier",
"inetorgperson",
"sunIdentityServerLibertyPPService",
"devicePrintProfilesContainer",
"iplanet-am-user-service",
"iPlanetPreferences",
"pushDeviceProfilesContainer",
"forgerock-am-dashboard-service",
"organizationalperson",
"top",
"kbaInfoContainer",
"person",
"sunAMAuthAccountLockout",
"oathDeviceProfilesContainer",
"webauthnDeviceProfilesContainer",
"iplanet-am-auth-configuration-service"
],
"dn": [
"uid=demo,ou=people,dc=openam,dc=forgerock,dc=org"
],
"inetUserStatus": [
"Active"
],
"cn": [
"demo"
],
"sn": [
"demo"
],
"createTimestamp": [
"20191218152736Z"
],
"roles": [
"ui-self-service-user"
]
}
Current behaviour
For AM 7.0 the following output results:
{
"realm": "/",
"username": "demo",
"uid": [
"demo"
],
"sn": [
"demo"
],
"cn": [
"demo"
],
"roles": [
"ui-self-service-user"
]
}
- is related to
-
AMAGENTS-3331 5.7 - WPA - AM Compatibility
-
- Closed
-
-
-
- Closed
-