Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16170

Not possible for Agents/IG to use the OIDC code flow

    Details

    • Type: Improvement
    • Status: In Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: oauth2, OpenID Connect
    • Labels:

      Description

      To reproduce the bug:

      Firstly you will need to edit openam-oauth2/src/main/java/org/forgerock/oauth2/core/AgentOAuth2ProviderSettings.java to enable the Agent to use the code flow as follows:

          @Override
          public Set<String> getSupportedGrantTypes() {
              Set<String> result = new HashSet<>();
              result.addAll(GrantType.IMPLICIT.getTokenEndpointReferences());
              result.addAll(GrantType.AUTHORIZATION_CODE.getTokenEndpointReferences());
              return result;
          }    @Override
      
          public Map<String, ResponseTypeHandler> getAllowedResponseTypes() {
              Map<String, ResponseTypeHandler> responseTypes = new HashMap<>();
              responseTypes.put("id_token", InjectorHolder.getInstance(IdTokenResponseTypeHandler.class));
              responseTypes.put("code", InjectorHolder.getInstance(AuthorizationCodeResponseTypeHandler.class));
              return responseTypes;
          }
       

      Then change openam-oauth2/src/main/java/org/forgerock/openam/oauth2/AgentClientRegistration.java as follows:

          @Override
          public Set<String> getAllowedResponseTypes() {
              return Sets.newHashSet(OAuth2Constants.AuthorizationEndpoint.ID_TOKEN,
                      OAuth2Constants.AuthorizationEndpoint.CODE,
                      OAuth2Constants.AuthorizationEndpoint.ID_TOKEN + " " + OAuth2Constants.AuthorizationEndpoint.CODE,
                      OAuth2Constants.AuthorizationEndpoint.CODE + " " + OAuth2Constants.AuthorizationEndpoint.ID_TOKEN
              );
          }
      
          @Override
          public Set<GrantType> getAllowedGrantTypes() {
              return new HashSet<>(Arrays.asList(GrantType.IMPLICIT, GrantType.AUTHORIZATION_CODE));
          } 

       

      In the following I have made these assumptions:

      • hostname: openam.afb.com
      • container #1 hosting AM deployed on port 8010
      • container #2 hosting nothing in particular deployed on port 8030 (to be honest, I'm not sure you even need a container here), nonetheless you will need to choose a port number which I've assumed is 8030.

       

      In the XUI, create a new Java Agent (in the root realm)

      Again in the XUI, create an ordinary user (in the root realm)

      • Identities
      • +Add Identity
        User ID: noggin
        Password: whatever
      • Create

      Install httpie. Sorry, I tried to get my script to work with curl and the -L option, but it was beyond my skills. If you feel you can edit the script so it doesn't need httpie, please feel free.
       
      Make a copy of the attached script and edit the first few lines according to
      the values you entered for Agent name, password and ordinary user and password.

      Run the script as often as you like. You should see the output:

      {"error_description":"No OpenID Connect provider for realm /","error":"not_found"}
      

       That's the bug.

        Attachments

        1. fake.sh
          3 kB
        2. ig-cdsso-flow.txt
          9 kB
        3. ig-cdsso-pef-flow.txt
          17 kB

          Activity

            People

            • Assignee:
              richard.ward Richard Ward
              Reporter:
              tony.bamford Tony Bamford
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: