Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17262

Subname claim inconsistences

    XMLWordPrintable

Details

    • Rank:
      1|i037zz:

    Description

      Bug description

      The new "subname" claim is added on all access and ID tokens after the change on OPENAM-14402, but introspecting tokens show inconsistent values.

      • Introspecting access tokens shows output as expected from the Jira (sub with the new format, subname with the username/client name)
      • The userinfo output  for the subname is the universal ID of the identity/client, instead of just the username/client name. This may not be due to this change though? But it is not what's documented atm.
      • The idtokeninfo output is missing the subname claim

       By the way, the subname claim shows in access tokens regardless of the value of the advanced server property, which I'm not sure is intended.

      Edit: Fresh install,  I get these:

      c.s.i.c.c.ServerPropertyValidator: 2021-01-08 16:05:34,915: Thread[http-nio-8080-exec-6]: TransactionId[ef014da1-fec3-4fa2-8c86-7f915939371e-18791]
      ERROR: Invalid server property org.forgerock.services.openid.request.object.lifespan
      com.sun.identity.common.configuration.UnknownPropertyNameException: Unidentified property, org.forgerock.services.openid.request.object.lifespan.
      ....
      .....
      [CONTINUED]com.sun.identity.common.configuration.UnknownPropertyNameException: Unidentified property, org.forgerock.security.oauth2.enforce.sub.claim.uniqueness.
      ...
      ... 
      

       

       

      Edit: Actually, the ID token itself doesn't seem to have the subname claim on it... This is a client-based ID token read using the jwt.io website :

      {
        "at_hash": "G9-1ZSSCZOwhk4k78d7xvQ",
        "sub": "(usr!ForgerockDemo)",
        "auditTrackingId": "7704200b-a00a-43d9-b2a0-0be9f88659e1-28564",
        "iss": "http://openam.example.com:8080/openam/oauth2/mySubRealm",
        "tokenName": "id_token",
        "nonce": "123abc",
        "aud": "forgerockDemoPublicClient",
        "acr": "0",
        "org.forgerock.openidconnect.ops": "uo-bFToVH4sqofuMMZY7ku_LOkA",
        "s_hash": "bKE9UspwyIPg8LsQHkJaiQ",
        "azp": "forgerockDemoPublicClient",
        "auth_time": 1609939279,
        "realm": "/mySubRealm",
        "exp": 1609943123,
        "tokenType": "JWTToken",
        "iat": 1609939523
      }
      

       So I'm not sure anymore the claim should be on ID tokens. Yet, why not?

      How to reproduce the issue

      (Tested with 5th Jan nightly/23 Feb nightly)

      1. Get an access and an ID token.

      2. Ask for claims using the userinfo endpoint (a), and introspect the ID token(b):

       

      Expected behaviour
      (a) 
      
      curl --request GET --header "Authorization: Bearer p51ywE61UMldeAjSCaGjY_uSqmE" http://openam.example.com:8080/openam/oauth2/realms/mySubRealm/userinfo
      
      { 
       "sub":"(age!forgerockDemoConfidentialClient)", 
       "subname": "forgerockDemoConfidentialClient"
      }
      
      (b)
      
      curl --request POST \
      --data'id_token=eyJ0e....' \
      --data 'client_id=forgerockDemoPublicClient' \
      'http://openam.example.com:8080/openam/oauth2/realms/mySubRealm/idtokeninfo' 
      
      
      { 
       "at_hash": "B5KYCxbirxBHgOYfJZYYJA",    
       "sub": "(usr!ForgerockDemo)",    
       "subname" : "ForgerockDemo",
        ...
      }
      
      
      
      Current behaviour
      (a) 
      
      curl --request GET --header "Authorization: Bearer p51ywE61UMldeAjSCaGjY_uSqmE" http://openam.example.com:8080/openam/oauth2/realms/mySubRealm/userinfo
      
      { 
       "sub":"(age!forgerockDemoConfidentialClient)",
        "subname":"id=forgerockDemoConfidentialClient,ou=agent,o=mySubRealm,ou=services,dc=openam,dc=forgerock,dc=org"
      }
      
      (b)
      
      curl --request POST \
      --data'id_token=eyJ0e....' \
      --data 'client_id=forgerockDemoPublicClient' \
      'http://openam.example.com:8080/openam/oauth2/realms/mySubRealm/idtokeninfo' 
      
      { 
         "at_hash": "B5KYCxbirxBHgOYfJZYYJA", 
         "sub": "(usr!ForgerockDemo)", 
          ... (no subname claim)
      }
      
      
      

      Attachments

        Issue Links

          Activity

            People

              jay.bowers Jay Bowers
              cristina.herraz Cristina Herraz [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: