[OPENAM-16697] Case mismatch for realm (when using legacy realm identifier format) on well-known endpoint results in issuer with incorrect path format - ForgeRock JIRA

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 13.5.3, 14.1.2, 6.5.0.1, 6.0.0.7, 6.5.1, 5.5.3, 6.0.1, 6.5.2.3, 7.0.0
Fix Version/s: 5.5.3, 6.0.1, 6.5.3, 7.1.0, 7.0.1
Component/s: None
Labels:
- EDISON
- OAuth2

Target Version/s:

5.5.3, 6.0.1, 7.1.0, 7.0.1
Rank:
1|i01w4n:

Sprint:
AM Sustaining Sprint 78
Story Points:
2
Needs backport:

No

Support Ticket IDs:

Functional tests:

Yes
Are the reproduction steps defined?:

Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

Description

Description:

When calling the well known endpoint and specifying the realm in legacy identifier format such that the case mismatches the configured realm name, the issuer in the response will not match the path specified on the request (it will use the realms/root/realms<realm> format).

Reproduction steps:

Set up an AM 6.5.2.3 env, embedded config and user store.
Then create a realm, sub and add Services -> OAuth2 Provider Service (default values).
Calling (using the legacy realm identifier format)…

Expected behaviour

curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/sub/.well-known/openid-configuration?prettyPrint=true"

results in

..."issuer":"https://openam.amtest2.com:8443/access/oauth2/sub"...

Also, if I use the realm path format, then using lower or upper case returns a consistent path result for issuer (but always lower case).

curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/SUB/.well-known/openid-configuration?prettyPrint=true"

..."issuer":"https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/sub"...

Current behaviour:

However, calling

curl -k -X GET -H "Accept-API-Version:protocol=1.0,resource=2.1" "https://openam.amtest2.com:8443/access/oauth2/SUB/.well-known/openid-configuration?prettyPrint=true"

results in

..."issuer":"https://openam.amtest2.com:8443/access/oauth2/realms/root/realms/sub"...

for which the path of the issuer is inconsistent with that in the request.

Workaround

Use full realm path format in the request, or use a realm DNS alias and have no realm path identifier in the request.

Code analysis

This looks to have been caused by the code added for ~~OPENAM-13991~~ that matches on the realm name when supplied in legacy realm identifier format:

OAuth2UrisFactory.get...

        String realmRoutingPath = realm.asRoutingPath();
        if (requestUrl.contains(realmPath) && !requestUrl.contains(realmRoutingPath) && baseUrl.contains(realmRoutingPath)) {
            // Backwards compatibility - realm identifier in request path (not using realms/root/realms/<realm> format)
            baseUrl = baseUrl.replaceAll(realmRoutingPath + "$", realmPath);
        }

I believe the emboldened code above needs to support a case ignore match.

Attachments

Issue Links

is caused by

OPENAM-13991 'issuer' value in .well-known/openid-configuration response is incorrect for a sub-realm

Resolved

Activity

People

Assignee:: Lawrence Yarham

Reporter:: Lawrence Yarham

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2020-08-24 8:34 PM

Updated:: 2021-03-16 5:10 PM

Resolved:: 2020-09-03 3:55 PM