Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16418

Client auth using private_key_jwt fails with 500 if claim format is wrong

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 6.5.2.3, 7.0.0, 6.5.3, 7.1.0, 7.0.1
    • 6.5.4, 7.1.1, 2021.6, 7.2.0
    • oauth2
    • Rank:
      1|i010jf:
    • AM Sustaining Sprint 77, AM Sustaining Sprint 78, AM Sustaining Sprint 79
    • Yes
    • No
    • Yes
    • Yes and I used the same an in the description

    Description

      Bug description

      When authenticating OAuth2 clients using private_key_jwt and one of the claims are formatted incorrectly, AM fails and responds with an Internal Server Error 500.

      How to reproduce the issue

      1. Configure OAuth2 client and set Token Endpoint Authentication Method to private_key_jwt, Grant Types to client_credentials, set Token Endpoint Authentication Signing Algorithm to HS256.
      2. Generate a JWT and put quotations around the exp claim value to make it a String
      3. Get an access token e.g. 
        curl --location --request POST 'https://openam.example.com:8443/openam/oauth2/access_token' \
        --header 'Content-Type: application/x-www-form-urlencoded' \
        --data-urlencode 'grant_type=client_credentials' \
        --data-urlencode 'client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqd3RfY2xpZW50IiwiaWF0IjoxNTkzMDg1NTEyLCJleHAiOiIxNTkzMDg2NzEzIiwiYXVkIjoiaHR0cHM6Ly9vcGVuYW0uZXhhbXBsZS5jb206ODQ0My9vcGVuYW0vb2F1dGgyL2FjY2Vzc190b2tlbiIsInN1YiI6Imp3dF9jbGllbnQifQ.mkxXDVHFmMzrCc0AgSerXv-02MmQiw4onbcAKD4RAbA' \
        --data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
        --data-urlencode 'redirect_uri=http://www.test.com' \
        --data-urlencode 'scope=profile openid' \
        --data-urlencode 'client_id=jwt_client'
        
      Expected behaviour
      400 Bad Request
      Current behaviour
      500 Internal Server Error

      Work around

      Don't send invalid JWTs...

      Attachments

        Issue Links

          Activity

            People

              chee-weng.chea C-Weng C
              aaron.haskins Aaron Haskins [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: