Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16482

AM 5.5 and 6.0 UI should warn when OAuth 2.0 tokens are signed by an HMAC secret smaller than 256 bits


    • Type: Task
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s:, 5.5.2
    • Fix Version/s: None
    • Component/s: console, UI
    • Labels:


      Relates to OPENAM-16451 - Problem with HMAC secret when upgrading from AM 5.5


      The issue is not at the time of signing but at the time of saving a new HMAC secret in the console:

      The issue with the UI in AM 5.5, and AM 6.0 console, is that when the HMAC secret is put in, there is no validation to warn that the size is smaller than the required 256 bits. It allows you to put a secret that cannot work. If the secret is too short and you try to sign a token with it, it will fail. 


      NOTE: If you are already signing tokens with HMAC in AM 5.5 and 6.0 the upgrade route is going to work.

      This problem does not happen in AM 6.5 because the secret is not captured in the AM console. 

      How to reproduce the issue

      This can be reproduced

      1. Deploy AM 5.5.1
      2. All default configuration
      3. Configure > Global Services > OAuth2Provider > Advanced
      4. Add your own string for an Hmac signature secret
      5. Create an OAuth2 service under the root realm (or in a new realm) - you may also change the secret the current realm at this point for - same result will happen.
      6. Save the OAuth2 service making sure that the HMAC secret is selected to do token signature (default)
      7. Start upgrade:
        1. kill tomcat
        2. replace war file
        3. restart
      8. upgrade fails at the OAuth2Secret

      NOTE: This problem occurs if the secret selected is too short - secrets with a long enough size (e.g. 32 characters) are upgraded...




            • Assignee:
              salbertelli01 sheila albertelli
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: