Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17126

OIDC token : missing user info attributes

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 7.1.0
    • Fix Version/s: 7.1.0
    • Component/s: None
    • Labels:
    • Environment:
      OS : Linux
      AM container : Tomcat 9.0.34
      jdk : openjdk 11.0.8
      OpenAM: 7.1.0-SNAPSHOT ef47050efe7

      Description

      As discussed here : https://forgerock.slack.com/archives/CHD58QG6A/p1606387539303000
      one of the following commits, generated some regression in the OIDC token content:

      47bccdccd1b	Revert "OPENAM-17072 Fix eval() method in Amster"
      c643b3c2491	Revert "OPENAM-17072 Move addEval closure to method"
      3b03ffdc39c	AME-19298 Create annotation based config for Radius Server service
      266ee767420	AME-20141 Token exchange id_token support
      080e1c17c71	OPENAM-17086
      

      Test scenarion & symptoms :

      The test is using tokens with the following properties :

      • accessTokenLifetime=3,
      • refreshTokenLifetime=60,

      Scenario :

      1. user gets a couple of tokens successfully, accessing a resource through IG
      2. user waits for around 5 seconds, so that access token is no more valid, but the refresh_token is still valid
      3. user wants to access the resource through IG again, providing both tokens

      While checking the content of the access_token, the test spotted the following regression :

      Before regression (using AM-7.1.0-SNAPSHOT 1c0b2013980), the returned OIDC token was sthg like (look at "user_info") :

      {
          "access_token": "L6FR5-javY1sHh4FMh4I2uG-SWs",
          "refresh_token": "46ZT88rD0xCra8tSfteRXN8yzSk",
          "scope": [
              "openid",
              "profile",
              "isMemberOf",
              "api_access"
          ],
          "id_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoia2k0NXI3T21uWnMtT3Etd05PUk9jdyIsInN1YiI6ImJvbm5pZSIsImF1ZGl0VHJhY2tpbmdJZCI6IjBkYjgwYjNlLTFhN2QtNGRiYi1iZDUwLWVkYzFhNjBjOWMwYS00MDg4IiwiaXNzIjoiaHR0cDovL29wZW5hbS5leGFtcGxlLmNvbTo4MDg2L29wZW5hbS9vYXV0aDIvZmlsdGVyc19yZWFsbSIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwiYXVkIjoiY2xpZW50X2Zvcl9vcGVuaWc5MzNfb2F1dGgyIiwiYWNyIjoiMCIsIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiIxTUt5aF8tRzM1bVVBTzktbjFjaXowRHJQamciLCJhenAiOiJjbGllbnRfZm9yX29wZW5pZzkzM19vYXV0aDIiLCJhdXRoX3RpbWUiOjE2MDY3MjQ1OTgsInJlYWxtIjoiL2ZpbHRlcnNfcmVhbG0iLCJleHAiOjE2MDY3MjgyMDYsInRva2VuVHlwZSI6IkpXVFRva2VuIiwiaWF0IjoxNjA2NzI0NjA2fQ.zJrAOYsMkhyRjL5EKS34TLj6Bpwxl3dFMlBl2UpPYHFNvEAcmkK79nBSjvAItLOzoB36Rw1605zhhcVnidh6m5mLauRonAxt3Sq6d9oldh5OMk_kM9jBbpZ8p5hpzU8Jr2TAasE_gxij0nWKUutEyx0Q88bOSG5UkA63cSW8IMM0aEOfXHhQ2fnapayWamri422GXrNW1i0ToKbwe0ioj8R5bY5Z1vqNHCvJqOUpeyykrJd-b1ziI-8Um9V5R7GY3niD6MPcoa9RiSqSz5PDvdO8ctk0vTOtYewmkHjt_IHHhr6NyFoZuIS6066jMHHi6CH87DUzpZY8-Gdk62k7zQ",
          "token_type": "Bearer",
          "expires_in": 1,
          "client_registration": "client_for_openig933_oauth2",
          "client_endpoint": "http://openig.example.com:8084/openig933_oauth2",
          "id_token_claims": {
              "at_hash": "ki45r7OmnZs-Oq-wNOROcw",
              "sub": "bonnie",
              "auditTrackingId": "0db80b3e-1a7d-4dbb-bd50-edc1a60c9c0a-4088",
              "iss": "http://openam.example.com:8086/openam/oauth2/filters_realm",
              "tokenName": "id_token",
              "aud": [
                  "client_for_openig933_oauth2"
              ],
              "acr": "0",
              "org.forgerock.openidconnect.ops": "1MKyh_-G35mUAO9-n1ciz0DrPjg",
              "azp": "client_for_openig933_oauth2",
              "auth_time": 1606724598,
              "realm": "/filters_realm",
              "exp": "2020-11-30T09:23:26+0000",
              "tokenType": "JWTToken",
              "iat": "2020-11-30T08:23:26+0000"
          },
          "user_info": {
              "family_name": "bonnie",
              "name": "bonnie",
              "sub": "bonnie"
          }
      }
      

      After regression (using AM-7.1.0-SNAPSHOT 47bccdccd1b), the returned OIDC token is sthg like (look at "user_info") :

      {
          "access_token": "Ds5rzXEQ84jqLkQlarUuIn-NqIQ",
          "refresh_token": "kzbm-AAHF5iKDUYuG3Jw4C_dEUk",
          "scope": [
              "openid",
              "profile",
              "isMemberOf",
              "api_access"
          ],
          "id_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiUVp3SHVEN3NDZU1udnNjMWgzaXVkQSIsInN1YiI6ImJvbm5pZSIsImF1ZGl0VHJhY2tpbmdJZCI6ImJhMjcwMGI0LTFhN2MtNDVmOC1iOWY5LTc1ZDk2YTAxY2I4ZS0zNjQxIiwiaXNzIjoiaHR0cDovL29wZW5hbS5leGFtcGxlLmNvbTo4MDg2L29wZW5hbS9vYXV0aDIvZmlsdGVyc19yZWFsbSIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwiYXVkIjoiY2xpZW50X2Zvcl9vcGVuaWc5MzNfb2F1dGgyIiwiYWNyIjoiMCIsIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiJGWnY1cUZnNVlzNlJtUDdZQTctSlJJVjFIYVEiLCJhenAiOiJjbGllbnRfZm9yX29wZW5pZzkzM19vYXV0aDIiLCJhdXRoX3RpbWUiOjE2MDY3MjQwODMsInJlYWxtIjoiL2ZpbHRlcnNfcmVhbG0iLCJleHAiOjE2MDY3Mjc2OTAsInRva2VuVHlwZSI6IkpXVFRva2VuIiwiaWF0IjoxNjA2NzI0MDkwfQ.zpMNaq6tksS2hSlF8TU9hvdTrZxqC76q0cWwedWlxnY_kBT2GjIaeORN2QHxuBDQmwHhoeS70v6FpjC-0F5aN5VDRhSSTKJ2AnTbJGZRmUTGqqiiSr01BtqgpCGyWZxpu3VGAbMphM9H4A1-lK2Pu7RPwCCSqV9E0CcQA1PcjQrlgfpsl0MT_BsOh6FX3JLLmLA3HFNxa6cqOc7t8o1PXXZ-9Gv7p-vDToDb4Ge0ZXgvAm7EqVit57NtnpY3yTtWJKiDfTK37Sh7yvr22Ge5hEKNHIaPDzQwpJHaAsLH22ZxnUKRfUnM_wKVFtPSFvvSIqYwrn29NSWketa_Fq3iiA",
          "token_type": "Bearer",
          "expires_in": 1,
          "client_registration": "client_for_openig933_oauth2",
          "client_endpoint": "http://openig.example.com:8084/openig933_oauth2",
          "id_token_claims": {
              "at_hash": "QZwHuD7sCeMnvsc1h3iudA",
              "sub": "bonnie",
              "auditTrackingId": "ba2700b4-1a7c-45f8-b9f9-75d96a01cb8e-3641",
              "iss": "http://openam.example.com:8086/openam/oauth2/filters_realm",
              "tokenName": "id_token",
              "aud": [
                  "client_for_openig933_oauth2"
              ],
              "acr": "0",
              "org.forgerock.openidconnect.ops": "FZv5qFg5Ys6RmP7YA7-JRIV1HaQ",
              "azp": "client_for_openig933_oauth2",
              "auth_time": 1606724083,
              "realm": "/filters_realm",
              "exp": "2020-11-30T09:14:50+0000",
              "tokenType": "JWTToken",
              "iat": "2020-11-30T08:14:50+0000"
          },
          "user_info": {
              "sub": "bonnie"
          }
      }
      

      Steps to reproduce with pyforge :

      • - git pull PyForge
      • - ./cleanup.py -f
      • - ./configure.py
      • - make sure your /etc/hosts is properly configured for IG functional tests : (cf hosts on docker : https://pyforge.engineering.forgerock.com/docs/getting-started#prepare-docker-on-your-machine)
      • - in config.cfg, update the IG section with WEBCONTAINER_TYPE=standalone
      • - launch the following commands (on Linux/Mac), in the PyForge root directory :
        ./run-pybot.py -s Filters/OAuth2ClientFilter/RefreshTokenUseCases/OPENIG-933/ -t Refresh_Openidconnect_Token_Using_Oauth2ResourceServer_Filter_Should_Succeed -n ig
        Servers are then available for checks... (NB : test may have been modified, to expect the current error)
      • - ./cleanup.py -f

        Attachments

          Activity

            People

            • Assignee:
              phillcunnington Phill Cunnington
              Reporter:
              jcdevil Jean-Charles Deville
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: