Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15934

Incorrect certificate for MTLS OAuth2 client authentication returns invalid_grant

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 6.5.2.2
    • Fix Version/s: None
    • Component/s: oauth2, OpenID Connect
    • Labels:
    • Sprint:
      AM Sustaining Sprint 72, AM Sustaining Sprint 73
    • Story Points:
      5
    • Support Ticket IDs:

      Description

      Bug description

      When using MTLS authentication for OAuth2 clients, and an incorrect certificate is provided (or say Cert B for Client A, Cert A for Client B), AM returns invalid_grant error instead of invalid_client.

      How to reproduce the issue

      1. Create and convert certificate to PEM:
        • keytool -genkeypair -alias mtls_one -keyalg RSA -keystore ~/mtls_keystore.p12 -storetype PKCS12 (the first and last name should match the client ID to be registered in AM e.g. myClientOne)
        • openssl pkcs12 -in test_keystore.p12 -out myClientOne.pem
      2. Create OAuth2 client myClientOne and set authentication method to self_signed_tls_client_auth, set mTLS Self-Signed Certificate to the certificate block in myClient.pem and set Public Key Selector as X509
      3. Repeat Steps 1 and 2 to create a certificate and register OAuth2 client "myClientTwo"
      4. Configure OAuth2Provider and set Trusted TLS Client Certificate Header to myCert
      5. Authenticate as demo user
      6. Use the session from the previous step to make the authorize call and get the authorization code for myClientOne
      7. Use the authorization code from the last step to get an access token. Add the header myCert and the value here should be the certificate for myClientTwo.
      Expected behaviour
      invalid_client error
      Current behaviour
      invalid_grant error

        Attachments

          Activity

            People

            Assignee:
            joe.starling Joe Starling
            Reporter:
            aaron.haskins Aaron Haskins
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: