Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16209

Parameters included in conditional login URL are passed to agent as PAP Claims

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      To replicate

      1) Setup Agent (e.g. http://abondance-uk.internal.forgerock.com/pkg/servers/forgerock/Agent/web-agent/staging/5.7.0-M8/web-agent-5.7.0-M8-Apache_v24_Linux_64bit.zip) With AM 7.0.0 in usual way where we have AM at say openam.localtest.me:8080/openam and agent at say agent.localtest.me

      2) Set the following properties

      A) org.forgerock.openam.agents.config.allow.custom.login=true
      B)com.forgerock.agents.conditional.login.url[0]=agent.localtest.me|http://openam.localtest.me:8080/openam/UI/Login?test=cond2
      C) Create a validation service with value http://*:*/* and http://*:*/*?*
      D) Set up a policy so that all resources can be accessed by authenticated users

      4) Now Attempt to access a page in the browser (e.g. http://agent.localtest.me/index.html)

      Expected behaviour
      __________________

      We expect that after authentication the user would end up at the page http://agent.localtest.me/index.html

      Actual behaviour
      ________________

      After authentication the user ends up at
      http://agent.localtest.me/index.html?test=cond2

      Further Details
      _______________

      This is the simplest way we can find to reproduce this behaviour but there are other tests which attempt to simulate custom login page actions which also show this behaviour.

      It is possible that this functionality will cause problems to some customers who have custom login pages.

      From the Agent logs we see that

      2020-05-06 17:06:54 GMT DEBUG   [3c1940c8-5bc8-29e8-8c70-a31f2df10aaf]: (source/body_reader.c:127) close_post_body(): reading body content to memory
      2020-05-06 17:06:54 GMT DEBUG   [3c1940c8-5bc8-29e8-8c70-a31f2df10aaf]: (source/enforce/enforce_oidc.c:379) JWT {"sub":"demo","auditTrackingId":"a0d5c66b-5f43-44c4-9d04-9aa5cc6cd547-90610","iss":"http://openam.localtest.me:8080/openam/oauth2","tokenName":"id_token","nonce":"8F7928FB77D3798AF5F3D2BE20E74D1C","aud":"wpa-agent","acr":"0","s_hash":"0eL6OdOSy95223v0jafNYQ","azp":"wpa-agent","auth_time":1588784814,"forgerock":{"ssotoken":"blHiOxPGz4z5VftnOaIhc1L93HY.*AAJTSQACMDEAAlNLABwyQmlGOEpPb0VZUlRwTHc5UU9FeHRjekVEbmM9AAR0eXBlAANDVFMAAlMxAAA.*","suid":"a0d5c66b-5f43-44c4-9d04-9aa5cc6cd547-90411","papClaims":{"test":"cond2"}},"realm":"/","exp":1588792014,"tokenType":"JWTToken","iat":1588784814,"agent_realm":"/"}
      2020-05-06 17:06:54 GMT DEBUG   [3c1940c8-5bc8-29e8-8c70-a31f2df10aaf]: (source/cookies.c:293) pre-authn cookie value eAENxk0KgCAQBtC7fGsrXUjibaIZMBh/MAVBvHu91ZvoVeBxPIl47KFFgULkFjJtdyaGNwqBL+L6ws+lUKjApy6iwOOvsc6dzhqt1wfxORiF : 81 base64 bytes inflates (uncompresses) to -> 78 bytes
      {"url":"/index.html","method-code":1,"headers":{},"pdp":null,"exp":1588785100}
      
      2020-05-06 17:06:54 GMT DEBUG   [3c1940c8-5bc8-29e8-8c70-a31f2df10aaf]: (source/cookies.c:481) found state identifier 42927fb8-6afe-9416-6a4e-3af95acd35d9, looped through 1 states
      2020-05-06 17:06:54 GMT DEBUG   [3c1940c8-5bc8-29e8-8c70-a31f2df10aaf]: (source/apache/agent.c:916) amagent_auth_handler(): exit status: redirect (1)
      2020-05-06 17:06:54 GMT DEBUG   [bff4acf9-7d02-e999-d279-7f8efbbb2169]: (source/enforce/enforce_url_handler.c:238) setup_request_data(): client ip: 10.166.0.1
      2020-05-06 17:06:54 GMT DEBUG   [bff4acf9-7d02-e999-d279-7f8efbbb2169]: (source/enforce/enforce_url_handler.c:276) setup_request_data(): client hostname: (empty)
      2020-05-06 17:06:54 GMT DEBUG   [bff4acf9-7d02-e999-d279-7f8efbbb2169]: (source/enforce/enforce_url_handler.c:284) setup_request_data(): original request url: http://agent.localtest.me/index.html?test=cond2
      2020-05-06 17:06:54 GMT DEBUG   [bff4acf9-7d02-e999-d279-7f8efbbb2169]: (source/enforce/enforce_url_handler.c:406) setup_request_data(): 
      method: GET 
      original url: http://agent.localtest.me/index.html?test=cond2
      

      Showing that we have the pap claim in the JWT which was not present in earlier versions of AM

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kamal.sivanandam@forgerock.com Kamal Sivanandam
                Reporter:
                edward.barker edwardb
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: