Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16697

Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 13.5.3, 14.1.2,,, 6.5.1, 5.5.3, 6.0.1,, 7.0.0
    • 5.5.3, 6.0.1, 6.5.3, 7.1.0, 7.0.1
    • None
    • AM Sustaining Sprint 78
    • 2
    • No
    • Yes
    • Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)



      When calling the well known endpoint and specifying the realm in legacy identifier format such that the case mismatches the configured realm name, the issuer in the response will not match the path specified on the request (it will use the realms/root/realms<realm> format).

      Reproduction steps:

      1. Set up an AM env, embedded config and user store.
      2. Then create a realm, sub and add Services -> OAuth2 Provider Service (default values).
      3. Calling (using the legacy realm identifier format)…

      Expected behaviour

      curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/sub/.well-known/openid-configuration?prettyPrint=true"

      results in


      Also, if I use the realm path format, then using lower or upper case returns a consistent path result for issuer (but always lower case).

      curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/SUB/.well-known/openid-configuration?prettyPrint=true"


      Current behaviour:

      However, calling

      curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/SUB/.well-known/openid-configuration?prettyPrint=true"

      results in


      for which the path of the issuer is inconsistent with that in the request.


      Use full realm path format in the request, or use a realm DNS alias and have no realm path identifier in the request.

      Code analysis

      This looks to have been caused by the code added for OPENAM-13991 that matches on the realm name when supplied in legacy realm identifier format:



              String realmRoutingPath = realm.asRoutingPath();
              if (requestUrl.contains(realmPath) && !requestUrl.contains(realmRoutingPath) && baseUrl.contains(realmRoutingPath)) {
                  // Backwards compatibility - realm identifier in request path (not using realms/root/realms/<realm> format)
                  baseUrl = baseUrl.replaceAll(realmRoutingPath + "$", realmPath);

      I believe the emboldened code above needs to support a case ignore match.




          Issue Links



              lawrence.yarham Lawrence Yarham
              lawrence.yarham Lawrence Yarham
              0 Vote for this issue
              4 Start watching this issue