Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16701

The authorize endpoint with a service parameter will cause the parameter to appear as a PAP claim in the agent's ID token



    • Rank:
    • AM Sustaining Sprint 78, AM Sustaining Sprint 79
    • Yes
    • No
    • Yes and I used the same an in the description
    • 0
    • Future
    • None


      Bug description

      The service parameter in e.g. oauth2/authorize?service=webauthn will cause AM to authenticate using an auth tree. But AM will incorrectly add


      to the ID token it issues after authentication. The agent will assume this claim results from a Post Authentication Plugin (PAP) and it will modify the users request after authentication as if it was changed by a PAP. It will add "?service=webauthn" to the users request, which could impact policy decisions.

      This is a bug relating to the sustaining implementation of post authentication plugins in an oauth2 setting. AM will incorrectly treat some parameters to oauth/authorize as the result of a PAP. Similar problems have been fixed before by identifying well-known parameters to that endpoint and excluding them from the PAP claims. But the service parameter is not one of them.

      How to reproduce the issue

      1. in the web agent, configure <am>/oauth2/authorize?service=<name> as a conditional login URL for requests that arrive at /foo
      2. access the agent at /foo to trigger authentication 
      3. observe the location after authentication
      Expected behaviour
      no PAP information in the ID token and nothing has modified the URL after authentication
      Current behaviour
      papClaim object appears in the ID token and after authentication you arrive at /foo?service=webauthn


        Issue Links



              kamal.sivanandam@forgerock.com Kamal Sivanandam
              nick.james Nicholas James
              0 Vote for this issue
              4 Start watching this issue