Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16807

The dynamic values for request_uri being stored in client config does not expire and is not automatically removed

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Not a defect
    • 6.5.2.3, 7.0.0
    • None
    • OpenID Connect
    • AM Sustaining Sprint 79
    • 3

      Description

      As noted in this RFE: https://bugster.forgerock.org/jira/browse/OPENAM-16806

       

      AM supports the JAR specification as defined here:
      https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20 

      This specification allows for an object to be passed by reference, the reference being stored in request_uri on the client configuration.

      Before using this request_uri i.e. https://tfp.example.org/request.jwt/GkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM, the value must be pre-registered with the Authorization server, in this case AM.

      The intent behind this is to ensure risks outlined here https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20#section-10.4 are mitigated when next the client calls the authorization endpoint with this value i.e:

      https://server.example.com/authorize?
      response_type=code%20id_token
      &client_id=s6BhdRkqt3
      &request_uri=https%3A%2F%2Ftfp.example.org%2Frequest.jwt
      %2FGkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM
      &state=af0ifjsldkj

      This implementation has a major issue

      1. The request object will at some time expire and therefore be removed from the third party resource containing the request object, subsequently the request_uri should be removed or the client configuration size will continue to grow. 

       

      The CDR specification for example dictates that :

      • The Request URI MUST expire between 10 seconds and 90 seconds

      https://consumerdatastandardsaustralia.github.io/standards/#end-points

       

       

       

        Attachments

          Issue Links

            Activity

              People

              Unassigned Unassigned
              mark.nienaber@forgerock.com Mark Nienaber
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: