Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16474

id_token contains auth_time of 0 if session is deleted before authorization_code is used

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.2.3
    • Fix Version/s: None
    • Component/s: OpenID Connect
    • Labels:
    • Support Ticket IDs:

      Description

      Bug description

      If an authorization_code is used after the session is deleted, AM issues an id_token with an auth_time of 0. If you call sessions/?_action=getSessionProperties to view that session's properties, it still returns a valid authInstant time.

      How to reproduce the issue

      1. Configure OAuth2 Provider and client with openid scope
      2. Call authorize endpoint, authenticate and provide consent
      3. Once an authorization code is returned, delete the session
      4. Swap authorization code at /access_token endpoint
      Expected behaviour
      id_token contains a valid auth_time i.e not 0
      Current behaviour
      id_token auth_time is set to 0

      Work around

      Keep the session until the access_token and id_token has been acquired.

      Code analysis

      org/forgerock/oauth2/core/AuthorizationCodeGrantTypeHandler.java
      try {
          SSOTokenManager ssoTokenManager = SSOTokenManager.getInstance();
          SSOToken token = ssoTokenManager.createSSOToken(sessionId);
          authTimeInSeconds = stringToDate(token.getProperty(ISAuthConstants.AUTH_INSTANT)).getTime() / 1000;
          authLevel = AMAuthUtils.getHighestAuthenticatedLevel(token);
      } catch (SSOException | ParseException e) {
          logger.error("Error retrieving session from AuthorizationCode", e);
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                aaron.haskins Aaron Haskins
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: