Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16299

AM 5.0.0 's oidc module does not work if the sub-realm is in mixed case

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.0.0
    • Fix Version/s: 5.5.1, 5.5.2
    • Component/s: None
    • Labels:
      None
    • Support Ticket IDs:

      Description

      Bug description

      AM 5.0.0 's oidc module does not work if the sub-realm is in mixed case

      How to reproduce the issue

      Create a sub-realm in mixed case eg Demo

      Create a oidc module in the Demo sub-realm

      Run Oauth2 password grant query to get the id-token

      curl -s -k --request POST --user "$myOAuth2Client:$myoauth2client" --data "grant_type=password&username=$user&password=$password&scope=profile+openid" $openam/openam/oauth2/access_token

      Authenticated with the id-token against the oidc module

      curl -s \
       --request POST -H 'Accept-API-Version: protocol=1.0,resource=1.0' \
       --header "Content-Type: application/json" \
       --header "oidc_id_token: $ID_TOKEN" \
       "http://openam.internal.example.com:8080/openam/json/realms/root/realms/$realm/authenticate?authIndexType=module&authIndexValue=OIDCBearer&realm=$realm" 

       

      Expected behaviour
      User is authenticated
      
      Current behaviour
      The following error was encountered 
      
      Exception :
      com.sun.identity.authentication.spi.AuthLoginException: Verification of the ID Token failed.
              at org.forgerock.openam.authentication.modules.oidc.JwtHandler.validateJwt(JwtHandler.java:125)
              at org.forgerock.openam.authentication.modules.oidc.OpenIdConnect.process(OpenIdConnect.java:70)
              at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1061)
              at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1251)
              at sun.reflect.GeneratedMethodAccessor597.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:483)
              at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:219)
              at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:127)
              at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:559)
              at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586)
              at 
      

      Work around

      There is a case sensitive bug when the realm is in mixed case

      Use all lowercase for the sub realm eg demo instead of Demo

      Or

      Upgrade to AM 5.5.1 and above

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              sam.phua Sam Phua
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: