Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15805

idtokeninfo endpoint gives invalid signature error when ID Token is expired

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 6.5.1, 6.5.2, 6.5.2.1, 6.5.2.2
    • Fix Version/s: 5.5.2, 7.0.0, 6.5.3
    • Component/s: OpenID Connect
    • Labels:
    • Sprint:
      AM Sustaining Sprint 71, AM Sustaining Sprint 72
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Validating an expired unencrypted ID Token gives a misleading error message.

      How to reproduce the issue

      1. Create a short lived ID Token
      2. Validate the unencrypted ID Token
      curl --location --request POST 'http://localam.example.com:8080/openam/oauth2/idtokeninfo' \
      --header 'Cookie: iPlanetDirectoryPro=nNOjfZL3H7OWKVuJT0puyraW-Xg.*AAJTSQACMDEAAlNLABx6emtGeFljZDkrOFkvZGk2cW1Ec1p0cWRzQ0k9AAR0eXBlAANDVFMAAlMxAAA.*' \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --data-urlencode 'client_id=test' \
      --data-urlencode 'client_secret=test' \
      --data-urlencode 'id_token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiaXRvWkt4QWNGU2JOUWFpcWlFMEhSZyIsInN1YiI6ImRlbW8iLCJhdWRpdFRyYWNraW5nSWQiOiIyODc3NDJlMS1hZDA0LTQzNDktOWQ5Yi0wNzI4YTc2ZDE2OWUtNzIyNCIsImlzcyI6Imh0dHA6Ly9sb2NhbGFtLmV4YW1wbGUuY29tOjgwODAvb3BlbmFtL29hdXRoMiIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwiYXVkIjoidGVzdCIsImNfaGFzaCI6IkhwbG9QeGJieWhZQ1JOazZEOUczUmciLCJhY3IiOiIwIiwib3JnLmZvcmdlcm9jay5vcGVuaWRjb25uZWN0Lm9wcyI6IkFzb3ZFcVN2bkQwV0hQaE5VRkFCQWt1cHFuZyIsImF6cCI6InRlc3QiLCJhdXRoX3RpbWUiOjE1NzY3NjQ4ODIsInJlYWxtIjoiLyIsImV4cCI6MTU3Njc2ODUwMiwidG9rZW5UeXBlIjoiSldUVG9rZW4iLCJpYXQiOjE1NzY3NjQ5MDJ9.jvtlEwY1dYZhuTgUYk2b0iUTT965w-X-iWoWQBWFMqnCclk9m1LH_jRPkgYgQFOVhUQk9ADHqaSZFG52xsVF0Zf7u3KAk_gPbXqKvU3PFH6wU7dgCSpyM3q_kBRbBEC1XkBJAO3QqjrjRStAM9S6u3zLkIrR8ICZlUDP7TBBta-64EceTT6IA4J4RbF5d0sYAGmWnePM7ObjxQh8Sd18F4IqdkyNBMQKjCdE1KDcUPs2-UU3atuiUqkcILOFKbtoXZnIusZm-CM7QX0axrOuHtT43ElkVmYa1O2AHPwodld-1pIPwb3X84hm-WdzMQzfxVp_8SBl1KCZHZnIW7o5Qw'
      1. Expected behaviour
      {    "error_description": "ID token expired",    "error": "bad_request"}
      
      Current behaviour
      {    "error_description": "Invalid signature",    "error": "bad_request"}
      

       

      Cause

      Probably updating openam-oauth2/src/main/java/org/forgerock/openidconnect/restlet/IdTokenInfo.java#validateIdToken
      to check idToken.isExpired() first before calling clientRegistration.verifyIdTokenSignedByUsWithConfiguredAlg(idToken)
      would be the most simplest direct fix (just that we return expired check first) w/o much issue.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                jelle.v Jelle Verbraak
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: