-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.5.3, 14.1.2, 6.5.0.1, 6.0.0.7, 6.5.1, 5.5.3, 6.0.1, 6.5.2.3, 7.0.0
-
Component/s: None
-
Sprint:AM Sustaining Sprint 78
-
Story Points:2
-
Needs backport:No
-
Support Ticket IDs:
-
Functional tests:Yes
-
Are the reproduction steps defined?:Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)
Description:
When calling the well known endpoint and specifying the realm in legacy identifier format such that the case mismatches the configured realm name, the issuer in the response will not match the path specified on the request (it will use the realms/root/realms<realm> format).
Reproduction steps:
- Set up an AM 6.5.2.3 env, embedded config and user store.
- Then create a realm, sub and add Services -> OAuth2 Provider Service (default values).
- Calling (using the legacy realm identifier format)…
Expected behaviour
curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/sub/.well-known/openid-configuration?prettyPrint=true"
results in
..."issuer":"https://openam.amtest2.com:8443/access/oauth2/sub"...
Also, if I use the realm path format, then using lower or upper case returns a consistent path result for issuer (but always lower case).
curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/SUB/.well-known/openid-configuration?prettyPrint=true"
..."issuer":"https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/sub"...
Current behaviour:
However, calling
curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/SUB/.well-known/openid-configuration?prettyPrint=true"
results in
..."issuer":"https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/sub"...
for which the path of the issuer is inconsistent with that in the request.
Workaround
Use full realm path format in the request, or use a realm DNS alias and have no realm path identifier in the request.
Code analysis
This looks to have been caused by the code added for OPENAM-13991 that matches on the realm name when supplied in legacy realm identifier format:
OAuth2UrisFactory.get...
String realmRoutingPath = realm.asRoutingPath(); if (requestUrl.contains(realmPath) && !requestUrl.contains(realmRoutingPath) && baseUrl.contains(realmRoutingPath)) { // Backwards compatibility - realm identifier in request path (not using realms/root/realms/<realm> format) baseUrl = baseUrl.replaceAll(realmRoutingPath + "$", realmPath); }
I believe the emboldened code above needs to support a case ignore match.
- is caused by
-
OPENAM-13991 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm
-
- Resolved
-