Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16866

AM should fail gracefully if id_token fails to generate when swapping refresh token

    Details

    • Sprint:
      AM Sustaining Sprint 79, AM Sustaining Sprint 80
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      When calling the access_token endpoint with an refresh token, if the id_token fails to generate the client / user is left in limbo with no way to make additional calls because:

      • Access Token has already been revoked or expired
      • Refresh token 1 has already been swapped for another refresh token 2, but not yet presented to client.
      • Refresh token 1 has been blacklisted (or if in CTS then removed)

      Under these conditions it's expected that AM fail gracefully by providing an appropriate error and removing Refresh token from blacklist and allowing client to make the same call with Refresh token 1.

      Steps to reproduce

      1. Setup OAuth Provider with Client based tokens, issue refresh tokens, issue refresh on refresh

      2. Setup OAuth Client, scopes - openid profile

      3. On OAuth Client settings, Signing and Encryption Tab Check "Enable ID Token Encryption"

      4. On OAuth Client settings, Signing and Encryption Tab, modify "JWKs URI content cache timeout in ms" to 1 to ensure cache is not used

      5. Using Auth Code flow get an access_token, refresh_token, id_token.

      6. Call access_token endpoint with refresh token to refresh tokens i.e.

      curl --location --request POST 'https://openam.example.com:8443/secure/oauth2/realms/root/access_token' \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --header 'Cookie: amlbcookie=01; iPlanetDirectoryPro=pedeVgIc_SXbxg5UNld3LRG02YA......' \
      --data-urlencode 'grant_type=refresh_token' \
      --data-urlencode 'refresh_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.......' \
      --data-urlencode 'client_id=myClient' \
      --data-urlencode 'client_secret=password' \
      --data-urlencode 'scope=openid'

      7. Client receives new access_token, refresh_token, id_token as expected.

      8. On OAuth Client settings, Signing and Encryption Tab Change "Json Web Key URI" to invalid value like http://blah

      9. To reproduce issue : Call access_token endpoint with refresh token to refresh tokens i.e.

      curl --location --request POST 'https://openam.example.com:8443/secure/oauth2/realms/root/access_token' \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --header 'Cookie: amlbcookie=01; iPlanetDirectoryPro=pedeVgIc_SXbxg5UNld3LRG02YA......' \
      --data-urlencode 'grant_type=refresh_token' \
      --data-urlencode 'refresh_token=abcdefg.......' \
      --data-urlencode 'client_id=myClient' \
      --data-urlencode 'client_secret=password' \
      --data-urlencode 'scope=openid'

      10 AM returns 400

      { "error_description": "server_error (400) - The authorization server encountered an unexpected condition which prevented it from fulfilling the request.", "error": "server_error" }

      10. OAuth2Provider debug file presents:
      OAuth2Provider:10/02/2020 12:44:55:132 pm AEST: Thread[https-jsse-nio-8443-exec-3,5,main]: TransactionId[6460455a-c9c8-4fd6-9870-b16693c8048b-2405]
      ERROR: Cant create id token
      org.forgerock.secrets.NoSuchSecretException: No secret configured for purpose oauth2.oidc.idtoken.encryption

       

      Behaviour:

      The client cannot do anything further for the user because :
      there is no access_token as it's been revoked (or expired before hand).
      there is refresh token because refresh token was revoked when already swapped.

      Expected behaviour:
      AM fails gracefully and allows client can make the same call as previously made to successfully swap refresh token for tokens.

      i.e.
      curl --location --request POST 'https://openam.example.com:8443/secure/oauth2/realms/root/access_token' \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --header 'Cookie: amlbcookie=01; iPlanetDirectoryPro=pedeVgIc_SXbxg5UNld3LRG02YA......' \
      --data-urlencode 'grant_type=refresh_token' \
      --data-urlencode 'refresh_token=abcdefg.......' \
      --data-urlencode 'client_id=myClient' \
      --data-urlencode 'client_secret=password' \
      --data-urlencode 'scope=openid'

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              mark.nienaber@forgerock.com Mark Nienaber
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: