Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16697

Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.3, 14.1.2, 6.5.0.1, 6.0.0.7, 6.5.1, 5.5.3, 6.0.1, 6.5.2.3, 7.0.0
    • Fix Version/s: 5.5.3, 6.0.1, 6.5.3, 7.1.0, 7.0.1
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 78
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      Description:

      When calling the well known endpoint and specifying the realm in legacy identifier format such that the case mismatches the configured realm name, the issuer in the response will not match the path specified on the request (it will use the realms/root/realms<realm> format).

      Reproduction steps:

      1. Set up an AM 6.5.2.3 env, embedded config and user store.
      2. Then create a realm, sub and add Services -> OAuth2 Provider Service (default values).
      3. Calling (using the legacy realm identifier format)…

      Expected behaviour

      curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/sub/.well-known/openid-configuration?prettyPrint=true"

      results in

      ..."issuer":"https://openam.amtest2.com:8443/access/oauth2/sub"...

      Also, if I use the realm path format, then using lower or upper case returns a consistent path result for issuer (but always lower case).

      curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/SUB/.well-known/openid-configuration?prettyPrint=true"

      ..."issuer":"https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/sub"...

      Current behaviour:

      However, calling

      curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/SUB/.well-known/openid-configuration?prettyPrint=true"

      results in

      ..."issuer":"https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/sub"...

      for which the path of the issuer is inconsistent with that in the request.

      Workaround

      Use full realm path format in the request, or use a realm DNS alias and have no realm path identifier in the request.

      Code analysis

      This looks to have been caused by the code added for OPENAM-13991 that matches on the realm name when supplied in legacy realm identifier format:

      OAuth2UrisFactory.get...

       

              String realmRoutingPath = realm.asRoutingPath();
              if (requestUrl.contains(realmPath) && !requestUrl.contains(realmRoutingPath) && baseUrl.contains(realmRoutingPath)) {
                  // Backwards compatibility - realm identifier in request path (not using realms/root/realms/<realm> format)
                  baseUrl = baseUrl.replaceAll(realmRoutingPath + "$", realmPath);
              }
      

      I believe the emboldened code above needs to support a case ignore match.

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                lawrence.yarham Lawrence Yarham
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: