Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17801

OIDC userinfo subname claim returns incorrect value

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • None
    • 7.1.1, 2021.6, 7.2.0
    • None
    • None
    • Yes

    Description

      Bug description

      After changes to add the unique sub claim to AM in OPENAM-14402 the /oauth2/userinfo endpoint incorrectly returns the subname claim as:

      "subname": "id=demo,ou=user,o=root,ou=services,dc=openam,dc=forgerock,dc=org"
      

      When it should reflect the value of the old sub claim e.g.:

      "subname": "demo"
      

      How to reproduce the issue

      1. Install AM
      2. Install the Postman collection
      3. Run the collection ForgeRock OAuth 2.0 and OpenID Connect Collection > OpenID Connect Flows >> Authorization Code Grant and before logging out make the request:
      curl \
      --request GET \
      --header "Authorization: Bearer U-Wjlv-w1jtpuBVWUGFV6PwI_nE" \
      "https://am.localtest.me:8080/openam/oauth2/realms/mySubRealm/userinfo"
      
      Expected behaviour
      {
          "family_name": "ForgerockDemo",
          "name": "ForgerockDemo",
          "sub": "(usr!ForgerockDemo)",
          "subname": "ForgerockDemo"
      }
      
      Current behaviour
      {
          "family_name": "ForgerockDemo",
          "name": "ForgerockDemo",
          "sub": "(usr!ForgerockDemo)",
          "subname": "id=ForgerockDemo,..."
      }
      

      Work around

      n/a

      Code analysis

      org.forgerock.openam.oauth2.OpenAMScopeValidator#addSubToResponseIfOpenIdConnect
         response.add(new Claim(OAuth2Constants.JWTTokenParams.SUB_NAME, token.getResourceOwnerId()));
      

      The code above should turn the getResourceOwnerId to just the user id:

      org.forgerock.openam.oauth2.OpenAMScopeValidator#addSubToResponseIfOpenIdConnect
                      response.add(new Claim(OAuth2Constants.JWTTokenParams.SUB_NAME, CompoundIdentity
                              .fromUniversalId(token.getResourceOwnerId()).getIdentity()));
      

      Attachments

        Issue Links

          Activity

            People

              jay.bowers Jay Bowers
              jay.bowers Jay Bowers
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: