Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15982

OIDC - JWT Request Parameter returns errors in query, not in the fragment when consent is denied

    Details

    • Sprint:
      AM Sustaining Sprint 72, AM Sustaining Sprint 73
    • Story Points:
      3
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      Bug description

      When using the Hybrid OIDC flow, if the user denies consent, the error is returned in a query string and not a fragment.

      How to reproduce the issue

      1. Configure default OIDC Provider
      2. Enable "claims_parameter_supported" in Advanced OIDC
      3. Configure OIDC client with HS256 as "Request parameter signing algorithm" and redirect URI "http://test.com"
      4. Create a JWT signed with the client secret using online tools (e.g jwt.io) / use the below sample and adjust iat and exp claims as required: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteU9BdXRoMkNsaWVudCIsImlhdCI6MTU4MzE0OTI3MSwiZXhwIjoxNTgzMTUwNDc1LCJhdWQiOiJodHRwOi8vYWFyb24taGFza2lucy1hbS1kZ3hudXBvOjgwODAvb3BlbmFtL29hdXRoMiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSIsImNsaWVudF9pZCI6Im15T0F1dGgyQ2xpZW50In0.jomB1cK3xTmuBPTjwuUPLznrdSQ93YQbKIJZqK7RKhg
      5. Send authorize request, log in and then deny consent:
        curl --location --request GET 'http://openam.example.com:8080/openam/oauth2/authorize?request=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJteU9BdXRoMkNsaWVudCIsImlhdCI6MTU4MzE0OTI3MSwiZXhwIjoxNTgzMTUwNDc1LCJhdWQiOiJodHRwOi8vYWFyb24taGFza2lucy1hbS1kZ3hudXBvOjgwODAvb3BlbmFtL29hdXRoMiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIGlkX3Rva2VuIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSIsImNsaWVudF9pZCI6Im15T0F1dGgyQ2xpZW50In0.jomB1cK3xTmuBPTjwuUPLznrdSQ93YQbKIJZqK7RKhg&client_id=myOAuth2Client&redirect_uri=http://www.test.com&scope=openid%20profile&response_type=code%20id_token&nonce=012345&state=678910' \
        --header 'Content-Type: application/x-www-form-urlencoded' 
       Expected behaviour
      Error returned in fragment
      
      Current behaviour
      Error returned in query string

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                aaron.haskins Aaron Haskins
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: