Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16170

Not possible for Agents/IG to use the OIDC code flow


    • Type: Improvement
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: oauth2, OpenID Connect
    • Labels:


      To reproduce the bug:

      Firstly you will need to edit openam-oauth2/src/main/java/org/forgerock/oauth2/core/AgentOAuth2ProviderSettings.java to enable the Agent to use the code flow as follows:

          public Set<String> getSupportedGrantTypes() {
              Set<String> result = new HashSet<>();
              return result;
          }    @Override
          public Map<String, ResponseTypeHandler> getAllowedResponseTypes() {
              Map<String, ResponseTypeHandler> responseTypes = new HashMap<>();
              responseTypes.put("id_token", InjectorHolder.getInstance(IdTokenResponseTypeHandler.class));
              responseTypes.put("code", InjectorHolder.getInstance(AuthorizationCodeResponseTypeHandler.class));
              return responseTypes;

      Then change openam-oauth2/src/main/java/org/forgerock/openam/oauth2/AgentClientRegistration.java as follows:

          public Set<String> getAllowedResponseTypes() {
              return Sets.newHashSet(OAuth2Constants.AuthorizationEndpoint.ID_TOKEN,
                      OAuth2Constants.AuthorizationEndpoint.ID_TOKEN + " " + OAuth2Constants.AuthorizationEndpoint.CODE,
                      OAuth2Constants.AuthorizationEndpoint.CODE + " " + OAuth2Constants.AuthorizationEndpoint.ID_TOKEN
          public Set<GrantType> getAllowedGrantTypes() {
              return new HashSet<>(Arrays.asList(GrantType.IMPLICIT, GrantType.AUTHORIZATION_CODE));


      In the following I have made these assumptions:

      • hostname: openam.afb.com
      • container #1 hosting AM deployed on port 8010
      • container #2 hosting nothing in particular deployed on port 8030 (to be honest, I'm not sure you even need a container here), nonetheless you will need to choose a port number which I've assumed is 8030.


      In the XUI, create a new Java Agent (in the root realm)

      Again in the XUI, create an ordinary user (in the root realm)

      • Identities
      • +Add Identity
        User ID: noggin
        Password: whatever
      • Create

      Install httpie. Sorry, I tried to get my script to work with curl and the -L option, but it was beyond my skills. If you feel you can edit the script so it doesn't need httpie, please feel free.
      Make a copy of the attached script and edit the first few lines according to
      the values you entered for Agent name, password and ordinary user and password.

      Run the script as often as you like. You should see the output:

      {"error_description":"No OpenID Connect provider for realm /","error":"not_found"}

       That's the bug.


        1. fake.sh
          3 kB
        2. ig-cdsso-flow.txt
          9 kB
        3. ig-cdsso-pef-flow.txt
          17 kB



            • Assignee:
              richard.ward Richard Ward
              tony.bamford Tony Bamford
            • Votes:
              0 Vote for this issue
              4 Start watching this issue


              • Created: