Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15790

The /json/users endpoint no longer produces useful information for the Agents.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: rest
    • Target Version/s:
    • Rank:
      1|hzzo9z:
    • Needs backport:
      Yes
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      The /json/users endpoint no longer produces useful information. The fields in its output are needed by the Agents to fulfill profile attribute requests.  Traditionally when providing an Agent based SSO token, the agent has all properties whitelisted.  In fact, I vaguely recall adding that code in AM.

      How to reproduce the issue

      Basically, run this curl substituting an Agent SSO token as appropriate (or alternatively, an SSO token for the user "demo"):

      curl -X GET \
    --header 'Content-Type: application/json' \
    --header 'Accept-API-Version: protocol=1.0,resource=1.0' \
    --cookie 'iPlanetDirectoryPro=<Agent sso  SSO token>' \
    http://openam.example.com:8080/openam/json/realms/root/users/demo
      Expected behaviour

      For AM 6.5.* the following output results:

      {
  "username": "demo",
  "realm": "/",
  "uid": [
    "demo"
  ],
  "universalid": [
    "id=demo,ou=user,dc=openam,dc=forgerock,dc=org"
  ],
  "objectClass": [
    "iplanet-am-managed-person",
    "inetuser",
    "sunFederationManagerDataStore",
    "sunFMSAML2NameIdentifier",
    "inetorgperson",
    "sunIdentityServerLibertyPPService",
    "devicePrintProfilesContainer",
    "iplanet-am-user-service",
    "iPlanetPreferences",
    "pushDeviceProfilesContainer",
    "forgerock-am-dashboard-service",
    "organizationalperson",
    "top",
    "kbaInfoContainer",
    "person",
    "sunAMAuthAccountLockout",
    "oathDeviceProfilesContainer",
    "webauthnDeviceProfilesContainer",
    "iplanet-am-auth-configuration-service"
  ],
  "dn": [
    "uid=demo,ou=people,dc=openam,dc=forgerock,dc=org"
  ],
  "inetUserStatus": [
    "Active"
  ],
  "cn": [
    "demo"
  ],
  "sn": [
    "demo"
  ],
  "createTimestamp": [
    "20191218152736Z"
  ],
  "roles": [
    "ui-self-service-user"
  ]
}
      Current behaviour

      For AM 7.0 the following output results:

      {
  "realm": "/",
  "username": "demo",
  "uid": [
    "demo"
  ],
  "sn": [
    "demo"
  ],
  "cn": [
    "demo"
  ],
  "roles": [
    "ui-self-service-user"
  ]
}

        Attachments

          Issue Links

          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AMAGENTS-3331 5.7 - WPA - AM Compatibility

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AMAGENTS-3342 5.7 - Java Agent - AM Compatibility

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

            Activity

              People

              Assignee:
              richard.ward Richard Ward
              Reporter:
              tony.bamford Tony Bamford
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: