-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 6.5.1, 6.5.2, 6.5.2.1, 6.5.2.2
-
Component/s: OpenID Connect
-
Labels:
-
Sprint:AM Sustaining Sprint 71, AM Sustaining Sprint 72
-
Story Points:3
-
Needs backport:No
-
Support Ticket IDs:
Bug description
Validating an expired unencrypted ID Token gives a misleading error message.
How to reproduce the issue
- Create a short lived ID Token
- Validate the unencrypted ID Token
curl --location --request POST 'http://localam.example.com:8080/openam/oauth2/idtokeninfo' \ --header 'Cookie: iPlanetDirectoryPro=nNOjfZL3H7OWKVuJT0puyraW-Xg.*AAJTSQACMDEAAlNLABx6emtGeFljZDkrOFkvZGk2cW1Ec1p0cWRzQ0k9AAR0eXBlAANDVFMAAlMxAAA.*' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'client_id=test' \ --data-urlencode 'client_secret=test' \ --data-urlencode 'id_token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiaXRvWkt4QWNGU2JOUWFpcWlFMEhSZyIsInN1YiI6ImRlbW8iLCJhdWRpdFRyYWNraW5nSWQiOiIyODc3NDJlMS1hZDA0LTQzNDktOWQ5Yi0wNzI4YTc2ZDE2OWUtNzIyNCIsImlzcyI6Imh0dHA6Ly9sb2NhbGFtLmV4YW1wbGUuY29tOjgwODAvb3BlbmFtL29hdXRoMiIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwiYXVkIjoidGVzdCIsImNfaGFzaCI6IkhwbG9QeGJieWhZQ1JOazZEOUczUmciLCJhY3IiOiIwIiwib3JnLmZvcmdlcm9jay5vcGVuaWRjb25uZWN0Lm9wcyI6IkFzb3ZFcVN2bkQwV0hQaE5VRkFCQWt1cHFuZyIsImF6cCI6InRlc3QiLCJhdXRoX3RpbWUiOjE1NzY3NjQ4ODIsInJlYWxtIjoiLyIsImV4cCI6MTU3Njc2ODUwMiwidG9rZW5UeXBlIjoiSldUVG9rZW4iLCJpYXQiOjE1NzY3NjQ5MDJ9.jvtlEwY1dYZhuTgUYk2b0iUTT965w-X-iWoWQBWFMqnCclk9m1LH_jRPkgYgQFOVhUQk9ADHqaSZFG52xsVF0Zf7u3KAk_gPbXqKvU3PFH6wU7dgCSpyM3q_kBRbBEC1XkBJAO3QqjrjRStAM9S6u3zLkIrR8ICZlUDP7TBBta-64EceTT6IA4J4RbF5d0sYAGmWnePM7ObjxQh8Sd18F4IqdkyNBMQKjCdE1KDcUPs2-UU3atuiUqkcILOFKbtoXZnIusZm-CM7QX0axrOuHtT43ElkVmYa1O2AHPwodld-1pIPwb3X84hm-WdzMQzfxVp_8SBl1KCZHZnIW7o5Qw'
- Expected behaviour
{ "error_description": "ID token expired", "error": "bad_request"}
Current behaviour
{ "error_description": "Invalid signature", "error": "bad_request"}
Cause
Probably updating openam-oauth2/src/main/java/org/forgerock/openidconnect/restlet/IdTokenInfo.java#validateIdToken
to check idToken.isExpired() first before calling clientRegistration.verifyIdTokenSignedByUsWithConfiguredAlg(idToken)
would be the most simplest direct fix (just that we return expired check first) w/o much issue.
- is related to
-
OPENAM-15927 SKEW_ALLOWANCE = Duration.duration(5, TimeUnit.MINUTES) ability to tweek the time duration
-
- Open
-