Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17793

OIDC pairwise subject not working when multiple redirect URIs configured with the same hostname



    • Rank:
    • AM Sustaining Sprint 85, AM Sustaining Sprint 86
    • 5
    • No
    • Yes
    • Yes
    • Yes and I used the same an in the description


      Bug description

      When using Pairwise subject for OIDC, have having multiple redirect_uri with the same host, getting a authorization code flow throw an error and the debug logs shows

      Must configure sector identifier uri when multiple redirect uris are specified.

      and also some confusing errors like

      Caused by: org.forgerock.oath2.core.exceptions.InvalidClientException: Subject Identifier must not be null.
              at org.forgerock.openam.oauth2.token.OpenIdConnectTokenStore.createOpenIDToken(OpenIdConnectTokenStore.java:187)
              at org.forgerock.openidconnect.OpenIDTokenIssuer.lambda$issueToken$0(OpenIDTokenIssuer.java:75)
              at org.forgerock.util.LambdaExceptionUtils.lambda$rethrowSupplier$2(LambdaExceptionUtils.java:166)
              at org.forgerock.oauth2.core.StatefulAccessToken.lambda$toMap$3(StatefulAccessToken.java:424)
              at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
              at java.util.HashMap$EntrySpliterator.forEachRemaining(HashMap.java:1699)

      Topic: Specs violation.

      How to reproduce the issue

      1. Create a OAuth2Provider, set the Supported Subject to add "pairwise"
      2. The rest you can create standard client for Authorization flow (and permit it)
      3. Add scope openid, profile
      4. Now Set the Subject to "Pairwise"
      5. Check that this works with standard authorization flow
      6. Extra setup depends on below custom scenario

      Test 1:

      Test 2:

      According to https://openid.net/specs/openid-connect-core-1_0.html, Section 8.1,

      > If the Client has not provided a value for sector_identifier_uri in Dynamic Client Registration [OpenID.Registration], the Sector Identifier used for pairwise identifier calculation is the host component of the registered redirect_uri. If there are multiple hostnames in the registered redirect_uris, the Client MUST register a sector_identifier_uri.

      same host should pass.

      Expected behaviour
      Test 1: Fail
      Test2: Pass
      Current behaviour
      Test 1:  Pass
      Test 2: Fail

      Work around

      The whole logic now is inverted, no simple fix (as the logic is inverted)

      Code analysis

      ... Inverted test for host detection

      Risks when this is fixed

      The fixing for this will end up all pair-wise client that have different hosts that used to work since this will now align the OIDC specs Sectioin 8.1

      > If there are multiple hostnames in the registered redirect_uris, the Client MUST register a sector_identifier_uri.

      which will be needed per each client




            chee-weng.chea C-Weng C
            chee-weng.chea C-Weng C
            0 Vote for this issue
            7 Start watching this issue