Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15863

WA5.x is sending additional parameters to authorize endpoint which should be removed in papClaims

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 6.0.1, 7.0.0, 6.5.3
    • Component/s: web agents
    • Labels:
    • Environment:
      AM 7.0/WPA 5.6.2.1-RC7 apache httpd/ Linux 64 bit.
    • Sprint:
      AM Sustaining Sprint 71
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      WA5.x is sending additional parameters (agent_provider=true and state=<random-value>) to authorize end point. These were not sent by JASPA 5.x and they should be removed in papClaims.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      Follow the steps provided in OPENAM-15643

      Expected behaviour
      papClaims should not contain agent_provider and state. 
      
      Current behaviour
      papClaims contain agent_provider and state always.
      

      Work around

      None

      Code analysis

      WA 5.x is calling the authorize end point like below.

      _http://openam.example.com:28080/am/oauth2/authorize?realm=customer&response_mode=form_post&*state=0a4805fc-800a-d1dc-8d5c-23fc3b76be82*&redirect_uri=http%3A%2F%2Fagent.example.net%3A9090%2Fagent%2Fcdsso-oauth2&response_type=id_token&scope=openid&client_id=webagt&*agent_provider=true*&agent_realm=%2Fcustomer&nonce=2CD771A2A158658B1A6F21FE30C39250_

       JASPA 5.x call

      http://openam.example.com:58080/am/oauth2/realms/root/realms/customer/authorize?scope=openid&response_type=id_token&realm=customer&redirect_uri=http://agent.example.net:9090/agentapp/sunwCDSSORedirectURI&nonce=I6JGoaEMXa6huf7XzecjSooQ7u559cWb2feGZQIlvEyyJXo4nP5bZw&client_id=TM9CUSTOMER&agent_realm=/customer&response_mode=form_post

       

      org.forgerock.openam.oauth2.OpenAMScopeValidator.java#getPapClaimsfromRequest()
      Collections.addAll(defaultParams, OAuth2Constants.Params.SCOPE, OAuth2Constants.Params.RESPONSE_TYPE,
              OAuth2Constants.Params.REDIRECT_URI, OAuth2Constants.Custom.NONCE, OAuth2Constants.Params.CLIENT_ID,
              AGENT_REALM, OAuth2Constants.Custom.RESPONSE_MODE, OAuth2Constants.Params.REALM);
      
      
      

       

      Should include state and agent_provider in the ignore list.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              kamal.sivanandam@forgerock.com Kamal Sivanandam
              Reporter:
              kamal.sivanandam@forgerock.com Kamal Sivanandam
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: