Critical As discussed here : https://forgerock.slack.com/archives/CHD58QG6A/p1606387539303000
one of the following commits, generated some regression in the OIDC token content:
47bccdccd1b Revert "OPENAM-17072 Fix eval() method in Amster" c643b3c2491 Revert "OPENAM-17072 Move addEval closure to method" 3b03ffdc39c AME-19298 Create annotation based config for Radius Server service 266ee767420 AME-20141 Token exchange id_token support 080e1c17c71 OPENAM-17086
Test scenarion & symptoms :
The test is using tokens with the following properties :
- accessTokenLifetime=3,
- refreshTokenLifetime=60,
Scenario :
- user gets a couple of tokens successfully, accessing a resource through IG
- user waits for around 5 seconds, so that access token is no more valid, but the refresh_token is still valid
- user wants to access the resource through IG again, providing both tokens
While checking the content of the access_token, the test spotted the following regression :
Before regression (using AM-7.1.0-SNAPSHOT 1c0b2013980), the returned OIDC token was sthg like (look at "user_info") :
{
"access_token": "L6FR5-javY1sHh4FMh4I2uG-SWs",
"refresh_token": "46ZT88rD0xCra8tSfteRXN8yzSk",
"scope": [
"openid",
"profile",
"isMemberOf",
"api_access"
],
"id_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoia2k0NXI3T21uWnMtT3Etd05PUk9jdyIsInN1YiI6ImJvbm5pZSIsImF1ZGl0VHJhY2tpbmdJZCI6IjBkYjgwYjNlLTFhN2QtNGRiYi1iZDUwLWVkYzFhNjBjOWMwYS00MDg4IiwiaXNzIjoiaHR0cDovL29wZW5hbS5leGFtcGxlLmNvbTo4MDg2L29wZW5hbS9vYXV0aDIvZmlsdGVyc19yZWFsbSIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwiYXVkIjoiY2xpZW50X2Zvcl9vcGVuaWc5MzNfb2F1dGgyIiwiYWNyIjoiMCIsIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiIxTUt5aF8tRzM1bVVBTzktbjFjaXowRHJQamciLCJhenAiOiJjbGllbnRfZm9yX29wZW5pZzkzM19vYXV0aDIiLCJhdXRoX3RpbWUiOjE2MDY3MjQ1OTgsInJlYWxtIjoiL2ZpbHRlcnNfcmVhbG0iLCJleHAiOjE2MDY3MjgyMDYsInRva2VuVHlwZSI6IkpXVFRva2VuIiwiaWF0IjoxNjA2NzI0NjA2fQ.zJrAOYsMkhyRjL5EKS34TLj6Bpwxl3dFMlBl2UpPYHFNvEAcmkK79nBSjvAItLOzoB36Rw1605zhhcVnidh6m5mLauRonAxt3Sq6d9oldh5OMk_kM9jBbpZ8p5hpzU8Jr2TAasE_gxij0nWKUutEyx0Q88bOSG5UkA63cSW8IMM0aEOfXHhQ2fnapayWamri422GXrNW1i0ToKbwe0ioj8R5bY5Z1vqNHCvJqOUpeyykrJd-b1ziI-8Um9V5R7GY3niD6MPcoa9RiSqSz5PDvdO8ctk0vTOtYewmkHjt_IHHhr6NyFoZuIS6066jMHHi6CH87DUzpZY8-Gdk62k7zQ",
"token_type": "Bearer",
"expires_in": 1,
"client_registration": "client_for_openig933_oauth2",
"client_endpoint": "http://openig.example.com:8084/openig933_oauth2",
"id_token_claims": {
"at_hash": "ki45r7OmnZs-Oq-wNOROcw",
"sub": "bonnie",
"auditTrackingId": "0db80b3e-1a7d-4dbb-bd50-edc1a60c9c0a-4088",
"iss": "http://openam.example.com:8086/openam/oauth2/filters_realm",
"tokenName": "id_token",
"aud": [
"client_for_openig933_oauth2"
],
"acr": "0",
"org.forgerock.openidconnect.ops": "1MKyh_-G35mUAO9-n1ciz0DrPjg",
"azp": "client_for_openig933_oauth2",
"auth_time": 1606724598,
"realm": "/filters_realm",
"exp": "2020-11-30T09:23:26+0000",
"tokenType": "JWTToken",
"iat": "2020-11-30T08:23:26+0000"
},
"user_info": {
"family_name": "bonnie",
"name": "bonnie",
"sub": "bonnie"
}
}
After regression (using AM-7.1.0-SNAPSHOT 47bccdccd1b), the returned OIDC token is sthg like (look at "user_info") :
{
"access_token": "Ds5rzXEQ84jqLkQlarUuIn-NqIQ",
"refresh_token": "kzbm-AAHF5iKDUYuG3Jw4C_dEUk",
"scope": [
"openid",
"profile",
"isMemberOf",
"api_access"
],
"id_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiUVp3SHVEN3NDZU1udnNjMWgzaXVkQSIsInN1YiI6ImJvbm5pZSIsImF1ZGl0VHJhY2tpbmdJZCI6ImJhMjcwMGI0LTFhN2MtNDVmOC1iOWY5LTc1ZDk2YTAxY2I4ZS0zNjQxIiwiaXNzIjoiaHR0cDovL29wZW5hbS5leGFtcGxlLmNvbTo4MDg2L29wZW5hbS9vYXV0aDIvZmlsdGVyc19yZWFsbSIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwiYXVkIjoiY2xpZW50X2Zvcl9vcGVuaWc5MzNfb2F1dGgyIiwiYWNyIjoiMCIsIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiJGWnY1cUZnNVlzNlJtUDdZQTctSlJJVjFIYVEiLCJhenAiOiJjbGllbnRfZm9yX29wZW5pZzkzM19vYXV0aDIiLCJhdXRoX3RpbWUiOjE2MDY3MjQwODMsInJlYWxtIjoiL2ZpbHRlcnNfcmVhbG0iLCJleHAiOjE2MDY3Mjc2OTAsInRva2VuVHlwZSI6IkpXVFRva2VuIiwiaWF0IjoxNjA2NzI0MDkwfQ.zpMNaq6tksS2hSlF8TU9hvdTrZxqC76q0cWwedWlxnY_kBT2GjIaeORN2QHxuBDQmwHhoeS70v6FpjC-0F5aN5VDRhSSTKJ2AnTbJGZRmUTGqqiiSr01BtqgpCGyWZxpu3VGAbMphM9H4A1-lK2Pu7RPwCCSqV9E0CcQA1PcjQrlgfpsl0MT_BsOh6FX3JLLmLA3HFNxa6cqOc7t8o1PXXZ-9Gv7p-vDToDb4Ge0ZXgvAm7EqVit57NtnpY3yTtWJKiDfTK37Sh7yvr22Ge5hEKNHIaPDzQwpJHaAsLH22ZxnUKRfUnM_wKVFtPSFvvSIqYwrn29NSWketa_Fq3iiA",
"token_type": "Bearer",
"expires_in": 1,
"client_registration": "client_for_openig933_oauth2",
"client_endpoint": "http://openig.example.com:8084/openig933_oauth2",
"id_token_claims": {
"at_hash": "QZwHuD7sCeMnvsc1h3iudA",
"sub": "bonnie",
"auditTrackingId": "ba2700b4-1a7c-45f8-b9f9-75d96a01cb8e-3641",
"iss": "http://openam.example.com:8086/openam/oauth2/filters_realm",
"tokenName": "id_token",
"aud": [
"client_for_openig933_oauth2"
],
"acr": "0",
"org.forgerock.openidconnect.ops": "FZv5qFg5Ys6RmP7YA7-JRIV1HaQ",
"azp": "client_for_openig933_oauth2",
"auth_time": 1606724083,
"realm": "/filters_realm",
"exp": "2020-11-30T09:14:50+0000",
"tokenType": "JWTToken",
"iat": "2020-11-30T08:14:50+0000"
},
"user_info": {
"sub": "bonnie"
}
}
Steps to reproduce with pyforge :
- - git pull PyForge
- - ./cleanup.py -f
- - ./configure.py
- - make sure your /etc/hosts is properly configured for IG functional tests : (cf hosts on docker : https://pyforge.engineering.forgerock.com/docs/getting-started#prepare-docker-on-your-machine)
- - in config.cfg, update the IG section with WEBCONTAINER_TYPE=standalone
- - launch the following commands (on Linux/Mac), in the PyForge root directory :
./run-pybot.py -s Filters/OAuth2ClientFilter/RefreshTokenUseCases/OPENIG-933/ -t Refresh_Openidconnect_Token_Using_Oauth2ResourceServer_Filter_Should_Succeed -n ig
Servers are then available for checks... (NB : test may have been modified, to expect the current error) - - ./cleanup.py -f