Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16997

Device code grant implied consent fails if access_token request performed before user authenticates



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.5.3, 6.0.1, 6.5.4, 7.1.0, 7.0.1
    • 5.5.3, 6.0.1, 6.5.4, 7.1.0, 7.0.2
    • oauth2
    • AM Sustaining Sprint 80
    • 3
    • No
    • No
    • Yes
    • Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)
    • 0
    • Future
    • None



      When using implied consent and the device code grant flow, if the access_token request (which includes the device code) is performed before the user has completed verification of the user code, the end user will see the error 'The code you entered cannot be found'.

      Reproduction steps:

      1. Basic setup, AM embedded config and user store.
      2. In top level realm, create OAuth2Provider service
      3. Enable "Allow clients to skip consent" in OAuth2 Provider
      4. Create OAuth2 client, testoauth , secret of password, scopes profile and openid. Added Device code grant type and enabled Implied Consent. Change token endpoint authentication method to client_secret_post
      5. Get device and user  code: curl -k -X POST --header "Content-Type: application/x-www-form-urlencoded" --header "Accept: application/json" --data-urlencode "response_type=device_code" --data-urlencode "client_id=testoauth" --data-urlencode "scope=profile" 'https://openam.amtest2.com:8443/access/oauth2/device/code'. An example response is {"user_code":"nnzZXqsb","device_code":"eyJ0...FQ","interval":5,"verification_uri":"https://openam.amtest2.com:8443/access/oauth2/device/user","expires_in":300,"verification_url":"https://openam.amtest2.com:8443/access/oauth2/device/user"}
      6. Use code in the browser: Use above verification uri then paste in user_code from above., e.g https://openam.amtest2.com:8443/access/oauth2/device/user. 
      7. Pause on login screen. Do not enter user credentials.
      8. Request access token (using device_code from step 5 above response above):  curl -k --location -X POST --header "Content-Type: application/x-www-form-urlencoded" --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:device_code" --data-urlencode "client_id=testoauth" --data-urlencode "client_secret=password" --data-urlencode "device_code=eyJ0...FQ" 'https://openam.amtest2.com:8443/access/oauth2/access_token". This responds with {"error":"server_error"}.
      9. Now complete the login as the end user, and then click confirm when the user code confirmation page is displayed.

      Expected behaviour:

      User code verification is successful and a subsequent access_token request returns an access_token.

      Current behaviour:

      The user code verification at step 9 fails with 'The code you entered cannot be found'.  Performing a subsequent access_token request (step 8) results in 

      {"error_description":"The request contains a token no longer valid.","error":"expired_token"}



        Issue Links



              lawrence.yarham Lawrence Yarham
              lawrence.yarham Lawrence Yarham
              0 Vote for this issue
              3 Start watching this issue