Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17322

SAML2 bearer grant returns NoUserExistsException

    XMLWordPrintable

Details

    • AM Sustaining Sprint 83, AM Sustaining Sprint 84
    • 3
    • No
    • Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)
    • 0
    • Future
    • None

    Description

      Bug description

      When following https://backstage.forgerock.com/docs/am/7/oauth2-guide/oauth2-saml2-bearer-grant.html#oauth2-saml2-bearer-grant there is error: 

      {  
        "error_description": "Not able to read user information.",  
        "error": "unauthorized_client"
      }
      

      instead of access token returned. 

      How to reproduce the issue

      1. Configure Federation - set Assertion signing on remote and hosted SP.
      2. Verify Federation works - http://idp.localtest.me:8080/openam/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=oam_sp
      3. now do next steps on SP
      4. add OAuth2Provider service
      5. create OAuth2 client
        name = ClientID
        password = password
        scope = openid profile
        default scope = openid
        add SAML2 to grant types 
        change authentication type to POST
      6. turn on debug=message
      7. do idpSSOInit - http://idp.localtest.me:8080/openam/saml2/jsp/idpSSOInit.jsp?metaAlias=/idp&spEntityID=oam_sp
      8. look into debug and take SAML assertion from there
      9. run curl to get oauth2token

      curl code:

      curl \
        --request POST \
        --header "Host: ${HOST}" \
        --header "application/x-www-form-urlencoded" \
        --data "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2-bearer" \
        --data-urlencode "assertion=`base64 --wrap=0 ${ASSERTION_FILE}`" \
        --data "client_id=${USER}" \
        --data "client_secret=${PASS}" \
      "${URL}/openam/oauth2/access_token"
      

      SAML assertion example:

      <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s230a9b5457cd9684d7796638592d0f4329c24e81f" IssueInstant="2020-06-09T08:15:22Z" Version="2.0">
      <saml:Issuer>idp.localtest.me</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#s230a9b5457cd9684d7796638592d0f4329c24e81f"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>vq9oBLKutlY38qWnjk6KP4Xu3xHLOMXFhlBXLLsFabc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ft8Wbzxp4RNLCmaCXLraOyKydqwwtUUjijTKkiMMJveERttL19tGdhY2Hsmx/VUowTycBfxWMbx5wJsn+eoQb/l4nR+jfOM/dmMoKFH4P+wevNiTwXkL4wCuVb6de9HjgSRa4AMCK7Vwl2c7VFOOM7pSvE4D2H4Cq3ahXJukAdT3Poco+/jsqNSKh4x7FCGxvb0BJ8ARfIYZRc/lo30rUCn7ocX0BlyaQfNRCBJrZJ4c89YAmyla5zAokN3xZXY+SMZ8guYeq5mx1WY36QcyM9V34yIJ3TJgT0Yfc8tjlFFlyRBsFM91iISrg4ymTTgMUpoJS0yG4Vtdr2BdrzLyyQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDYTCCAkmgAwIBAgIEFt4OQjANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJVSzEQMA4GA1UECBMHQnJpc3RvbDEQMA4GA1UEBxMHQnJpc3RvbDESMBAGA1UEChMJRm9yZ2VSb2NrMQswCQYDVQQLEwJBTTENMAsGA1UEAxMEdGVzdDAeFw0xODA0MDMxNDIwNThaFw0yODAzMzExNDIwNThaMGExCzAJBgNVBAYTAlVLMRAwDgYDVQQIEwdCcmlzdG9sMRAwDgYDVQQHEwdCcmlzdG9sMRIwEAYDVQQKEwlGb3JnZVJvY2sxCzAJBgNVBAsTAkFNMQ0wCwYDVQQDEwR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi7t6m4d/02dZ8dOe+DFcuUYiOWueHlNkFwdUfOs06eUETOV6Y9WCXu3D71dbF0Fhou69ez5c3HAZrSVS2qC1Htw9NkVlLDeED7qwQQMmSr7RFYNQ6BYekAtn/ScFHpq8Tx4BzhcDb6P0+PHCo+bkQedxwhbMD412KSM2UAVQaZ+TW+ngdaaVEs1Cgl4b8xxZ9ZuApXZfpddNdgvjBeeYQbZnaqU3b0P5YE0s0YvIQqYmTjxh4RyLfkt6s/BS1obWUOC+0ChRWlpWE7QTEVEWJP5yt8hgZ5MecTmBi3yZ/0ts3NsL83413NdbWYh+ChtP696mZbJozflF8jR9pewTbQIDAQABoyEwHzAdBgNVHQ4EFgQUDAvAglxsoXuEwI2NT1hFtVww2SUwDQYJKoZIhvcNAQELBQADggEBADiHqUwRlq1xdHP7S387vMLOr+/OUgNvDUogeyrpdj5vFve/CBxSFlcoY215eE0xzj2+bQoe5To3s8CWkP9hqB3EdhaRBfCrd8Vpvu8xBZcxQzmqwNjmeDrxNpKes717t05fDGgygUM8xIBs29JwRzHzf7e0ByJjn9fvlUjDAGZ7emCTN382F2iOeLC2ibVl7dpmsWZTINhQRbmq5L4ztOcjITk5WZnBF439oRRn68fWZVkOv2UqaKbkuMjgotNuot+ebHtOchEiwKz8VAK7O3/IgD6rfNBfz+c/WeoPcrfQBR4zfizw/ioR115RSywifzlwq5yziqyU04eP4wLr3cM=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="idp.localtest.me" SPNameQualifier="oam_sp">m6HLcGOISvhpXMWOKVk8Oqf85oIb</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData NotOnOrAfter="2020-06-09T08:25:23Z" Recipient="http://sp.example.com:8081/openam/Consumer/metaAlias/sp"/></saml:SubjectConfirmation>
      </saml:Subject><saml:Conditions NotBefore="2020-06-09T08:05:23Z" NotOnOrAfter="2020-06-09T08:25:23Z">
      <saml:AudienceRestriction>
      <saml:Audience>oam_sp</saml:Audience>
      </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement AuthnInstant="2020-06-09T08:15:22Z" SessionIndex="s2f1ca8c76d42dd656e98ef3c8d6f95a2b07877101"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="uid"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">demo</saml:AttributeValue></saml:Attribute><saml:Attribute Name="cn"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">demo</saml:AttributeValue></saml:Attribute><saml:Attribute Name="userName"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">demo</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
      
      Expected behaviour 
      access token is issued
      
      Current behaviour
      error is issued and there is stacktrace in AM debug:
      
      Caused by: org.forgerock.oauth2.core.exceptions.NoUserExistsException: Not able to read user information.
              at org.forgerock.openam.oauth2.IdentityManager.getResourceOwnerIdentity(IdentityManager.java:154)
              at org.forgerock.openam.oauth2.IdentityManager.getResourceOwnerOrClientIdentity(IdentityManager.java:94)
              at org.forgerock.openam.oauth2.OpenAMScopeValidator.getUsersIdentity(OpenAMScopeValidator.java:353)
              at org.forgerock.openam.oauth2.OpenAMScopeValidator.initScriptBindings(OpenAMScopeValidator.java:331)
              at org.forgerock.openam.oauth2.OpenAMScopeValidator.modifyAccessToken(OpenAMScopeValidator.java:311)
              at org.forgerock.oauth2.core.RealmOAuth2ProviderSettings.modifyAccessToken(RealmOAuth2ProviderSettings.java:1293)
              at org.forgerock.openam.oauth2.token.OpenAMTokenStore.saveNewAccessToken(OpenAMTokenStore.java:123)
              at org.forgerock.openam.oauth2.saml2.core.Saml2GrantTypeHandler.handle(Saml2GrantTypeHandler.java:145)
      
      

      Work around

      This works properly with AM 6.5.1 patched with OPENAM-16021

      Attachments

        Issue Links

          Activity

            People

              lawrence.yarham Lawrence Yarham
              lubomir.mlich Ľubomír Mlích
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: