-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.5.1
-
Component/s: oauth2, OpenID Connect
-
Labels:
-
Sprint:AM Sustaining Sprint 72, AM Sustaining Sprint 73
-
Story Points:3
-
Support Ticket IDs:
-
Verified Version/s:
-
Needs QA verification:No
-
Functional tests:Yes
-
Are the reproduction steps defined?:Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)
Bug description
When using the Hybrid OIDC flow, if the user denies consent, the error is returned in a query string and not a fragment.
How to reproduce the issue
- Configure default OIDC Provider
- Enable "claims_parameter_supported" in Advanced OIDC
- Configure OIDC client with HS256 as "Request parameter signing algorithm" and redirect URI "http://test.com"
- Create a JWT signed with the client secret using online tools (e.g jwt.io) / use the below sample and adjust iat and exp claims as required: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteU9BdXRoMkNsaWVudCIsImlhdCI6MTU4MzE0OTI3MSwiZXhwIjoxNTgzMTUwNDc1LCJhdWQiOiJodHRwOi8vYWFyb24taGFza2lucy1hbS1kZ3hudXBvOjgwODAvb3BlbmFtL29hdXRoMiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSIsImNsaWVudF9pZCI6Im15T0F1dGgyQ2xpZW50In0.jomB1cK3xTmuBPTjwuUPLznrdSQ93YQbKIJZqK7RKhg
- Send authorize request, log in and then deny consent:
curl --location --request GET 'http://openam.example.com:8080/openam/oauth2/authorize?request=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteU9BdXRoMkNsaWVudCIsImlhdCI6MTU4MzE0OTI3MSwiZXhwIjoxNTgzMTUwNDc1LCJhdWQiOiJodHRwOi8vYWFyb24taGFza2lucy1hbS1kZ3hudXBvOjgwODAvb3BlbmFtL29hdXRoMiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSIsImNsaWVudF9pZCI6Im15T0F1dGgyQ2xpZW50In0.jomB1cK3xTmuBPTjwuUPLznrdSQ93YQbKIJZqK7RKhg&client_id=myOAuth2Client&redirect_uri=http://www.test.com&scope=openid%20profile&response_type=code%20id_token&nonce=012345&state=678910' \ --header 'Content-Type: application/x-www-form-urlencoded'
Expected behaviour
Error returned in fragment
Current behaviour
Error returned in query string
- is related to
-
OPENAM-15012 OIDC - JWT Request Parameter returns errors in query, not in the fragment
-
- Closed
-
-
OPENAM-15487 OIDC - JWT Request Parameter returns errors in query, not in the fragment with invalid acr essential claim
-
- Closed
-