Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17592

Document changes re non-confidential clients and valid signing and encryption algorithms

    XMLWordPrintable

Details

    • Rank:
      1|i0427k:
    • No
    • No
    • No (add reasons in the comment)
    • 0
    • No
    • None

    Description

      Background

      OPENAM-13575 has added validation for signing and encryption algorithms. Values saved using the admin console (OAuth2 Client signing and encryption page) and via REST will return a Bad request and additional message in the following scenarios:

      • If an unrecognised (or not supported by AM) signing or encryption is specified for any of the following: 
        • ID Token encryption algorithm
        • Request Parameter encryption algorithm
        • User Info encrypted response algorithm
        • Token Introspection encrypted response algorithm
        • ID Token signing algorithm
        • User Info signed response algorithm
        • Request Parameter signed algorithm
        • Token Introspection signed response algorithm
      • If a symmetric signing or encryption algorithm is specified for any of the above when the client type is set to Public.

      An example of error messages seen for the first scenario are: 

      • Unknown encryption algorithm configured for User info encrypted response algorithm
      • Unknown/invalid signing algorithm configured for ID Token Signing Algorithm

      Examples for the second scenario are:

      • Symmetric encryption algorithm configured for ID Token Encryption Algorithm is not allowed for a public client
      • Symmetric signing algorithm configured for Token Endpoint Authentication Signing Algorithm is not allowed for a public client

      Similar error messages are also logged at ERROR level and include identification of the client id that the error relates to.

      Description

      Is it possible to add a note or description of the above for OAuth2 Client signing and encryption configuration please?

      Please note that for 6.5.x and 6.0.x versions, the list of properties excludes the Token Introspection signing and encryption properties above.

      Attachments

        Issue Links

          Activity

            People

              cristina.herraz Cristina Herraz [X] (Inactive)
              lawrence.yarham Lawrence Yarham
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: