Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15790

The /json/users endpoint no longer produces useful information for the Agents.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: rest
    • Target Version/s:
    • Needs backport:
      Yes
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      The /json/users endpoint no longer produces useful information. The fields in its output are needed by the Agents to fulfill profile attribute requests.  Traditionally when providing an Agent based SSO token, the agent has all properties whitelisted.  In fact, I vaguely recall adding that code in AM.

      How to reproduce the issue

      Basically, run this curl substituting an Agent SSO token as appropriate (or alternatively, an SSO token for the user "demo"):

      curl -X GET \
          --header 'Content-Type: application/json' \
          --header 'Accept-API-Version: protocol=1.0,resource=1.0' \
          --cookie 'iPlanetDirectoryPro=<Agent sso  SSO token>' \
          http://openam.example.com:8080/openam/json/realms/root/users/demo
      
      Expected behaviour

      For AM 6.5.* the following output results:

      {
        "username": "demo",
        "realm": "/",
        "uid": [
          "demo"
        ],
        "universalid": [
          "id=demo,ou=user,dc=openam,dc=forgerock,dc=org"
        ],
        "objectClass": [
          "iplanet-am-managed-person",
          "inetuser",
          "sunFederationManagerDataStore",
          "sunFMSAML2NameIdentifier",
          "inetorgperson",
          "sunIdentityServerLibertyPPService",
          "devicePrintProfilesContainer",
          "iplanet-am-user-service",
          "iPlanetPreferences",
          "pushDeviceProfilesContainer",
          "forgerock-am-dashboard-service",
          "organizationalperson",
          "top",
          "kbaInfoContainer",
          "person",
          "sunAMAuthAccountLockout",
          "oathDeviceProfilesContainer",
          "webauthnDeviceProfilesContainer",
          "iplanet-am-auth-configuration-service"
        ],
        "dn": [
          "uid=demo,ou=people,dc=openam,dc=forgerock,dc=org"
        ],
        "inetUserStatus": [
          "Active"
        ],
        "cn": [
          "demo"
        ],
        "sn": [
          "demo"
        ],
        "createTimestamp": [
          "20191218152736Z"
        ],
        "roles": [
          "ui-self-service-user"
        ]
      }
      
      Current behaviour

      For AM 7.0 the following output results:

      {
        "realm": "/",
        "username": "demo",
        "uid": [
          "demo"
        ],
        "sn": [
          "demo"
        ],
        "cn": [
          "demo"
        ],
        "roles": [
          "ui-self-service-user"
        ]
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                richard.ward Richard Ward
                Reporter:
                tony.bamford Tony Bamford
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: