Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18167

OIDC requests with request parameter fail with 500 error when there is no session using POST

    XMLWordPrintable

    Details

    • Rank:
      1|i05e7q:
    • AM Sustaining Sprint 88
    • 2
    • No
    • Yes
    • Yes
    • Yes and I used the same an in the description

      Description

      Bug description

      When doing a POST to the authorization endpoint without a session, it does not redirect user to the authentication page and instead gives a 500 error. This issue is identical in description to this issue OPENAM-13298.

      Unless one turn highest debug, debug logs (on ERROR) show any issue

      o.f.o.r.ExceptionHandler: 2021-07-30 06:23:12,953: Thread[http-nio-0.0.0.0-28080
      -exec-10]: TransactionId[]
      WARN: An unexpected exception occurred while handling an OAuth2 request
      java.lang.NullPointerException: null
      [CONTINUED]     at org.forgerock.oauth2.core.ResourceOwnerSessionValidator.authe
      nticationRequired(ResourceOwnerSessionValidator.java:563)
      [CONTINUED]     at org.forgerock.oauth2.core.ResourceOwnerSessionValidator.valid
      ate(ResourceOwnerSessionValidator.java:286)
      [CONTINUED]     at org.forgerock.oauth2.core.AuthorizationService.handlePostRequ
      est(AuthorizationService.java:402)
      [CONTINUED]     at org.forgerock.oauth2.restlet.AuthorizeResource.postAuthorize(
      AuthorizeResource.java:274)
      [CONTINUED]     at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invok
      e0(Native Method)
      [CONTINUED]     at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invok
      e(NativeMethodAccessorImpl.java:62)
      [CONTINUED]     at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.i
      nvoke(DelegatingMethodAccessorImpl.java:43)
      [CONTINUED]     at java.base/java.lang.reflect.Method.invoke(Method.java:566)
      [CONTINUED]     at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(
      AnnotatedMethod.java:81)
      [CONTINUED]     at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endp
      oints.java:77)
      [CONTINUED]     at org.forgerock.http.handler.Handlers$UndescribedAsDescribableH
      andler.handle(Handlers.java:180)
      [CONTINUED]     at org.forgerock.oauth2.restlet.OAuth2Filter.filter(OAuth2Filter
      .java:48)
      

      the thing seen is only on the access audit log of AM with error without any clue what happens.

      {"status":"FAILED","statusCode":"500","elapsedTime":17,"elapsedTimeUnits":"MILLISECONDS","detail":{"reason":"Internal Server Error"}}
      

      Some related telltale since arein the debug logs you see the request parameter received and later the error of unable to get Session

      o.f.o.c.OAuth2RequestFactory: 2021-07-30 06:23:12,940: Thread[http-nio-0.0.0.0-28080-exec-10]: TransactionId[]
      DEBUG: Received request parameter 'eyJ0eXAiOiJ.......a5V0xGdSylIpRgk'
      o.f.o.o.s.ClientSecretKeyStore: 2021-07-30 06:23:12,941: Thread[http-nio-0.0.0.0-28080-exec-10]: TransactionId[]
      DEBUG: Looking for valid secrets for purpose Purpose{'oauth2.request.parameter.verification', VerificationKey} in store org.forgerock.openam.oauth2.secrets.ClientSecretKeyStore@18f92f77
      o.f.o.o.s.ClientSecretKeyStore: 2021-07-30 06:23:12,941: Thread[http-nio-0.0.0.0-28080-exec-10]: TransactionId[]
      TRACE: Found valid secret for purpose Purpose{'oauth2.request.parameter.verification', VerificationKey} in store org.forgerock.openam.oauth2.secrets.ClientSecretKeyStore@18f92f77: VerificationKey{stableId=sQnzu7wkTrgkQZF-0G1hi5AI3Qmzvv0bXgc5THBqi7k, expiryTime=2021-07-30T06:28:12.941613Z, factory=CryptoServiceFactory{provider=null}, keyUsages=[encrypt, decrypt, sign, verify, agree key, wrap key, unwrap key, verify certificate]}
      o.f.o.c.ResourceOwnerSessionValidator: 2021-07-30 06:23:12,952: Thread[http-nio-0.0.0.0-28080-exec-10]: TransactionId[]
      WARN: Error authenticating user against OpenAM:
      com.iplanet.sso.SSOException: SessionID is empty
      [CONTINUED]     at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:147)
      [CONTINUED]     at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:160)
      [CONTINUED]     at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:328)
      [CONTINUED]     at org.forgerock.oauth2.core.ResourceOwnerSessionValidator.getResourceOwnerSession(ResourceOwnerSessionValidator.java:455)
      [CONTINUED]     at org.forgerock.oauth2.core.ResourceOwnerSessionValidator.validate(ResourceOwnerSessionValidator.java:200)
      [CONTINUED]     at org.forgerock.oauth2.core.AuthorizationService.handlePostRequest(AuthorizationService.java:402)
      ....
      

      How to reproduce the issue

      Similar to testcase in OPENAM-13298 and in fact is the same issue

      1. Create a OIDC provider on a realm and enable claims_parameter
      2. Creat a test client
      3. Create a request signing parameter to HS256 for the test client for ease
      4. Submit something like this

       curl -X POST -s -k -D - --data-urlencode 'scope=profile openid' --data-urlencode 'response_type=code id_token' --data-urlencode redirect_uri=http://localhost/test.jsp 'http://localhost:28080/openam/oauth2/authorize?realm=/openbanking&request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyAKICAiYXVkIjogWyJodHRwOi8vbG9jYWxob3N0OjI4MDgwL29wZW5hbS9vYXV0aDIvcmVhbG1zL3Jvb3QvcmVhbG1zL29wZW5iYW5raW5nIl0sCiAgImV4cCI6IDE2Mjc2MjYwNjAsCiAgImlzcyI6ICJ0ZXN0Q2xpZW50IgogIAp9Cg.sWDP6RcDBnOii0jBuFFzZPhmZuk2Q_hqivjz-1RowJw&nonce=nonce&client_id=testClient&decision=allow'
      

      5. Notice that 500 is seen when there is no session

      Note that the request can be signed to be the same as the client_secret using jwt.io with iss=<test client> and aud = URL of the AM (see example above) and exp must be unix epoch date + 10 mins.

      Expected behaviour
      Never have 500 error
      
      Current behaviour
      Throws 500 exception and fails as internal server error
      

      Work around

      Always ensure there is session available when posting to AM

      Code analysis

      The suggested fix in OPENAM-13298 needs to be actually done. It is not done or fixed the same last time but really the analysis in OPENAM-13298 is correct.

      The reason is that the request is wrapped and lack the clientRegistration when the authenticationRequired is called. In short the wrapped request is not really "proxying" the true underlying request.

        Attachments

          Issue Links

            Activity

              People

              chee-weng.chea C-Weng C
              chee-weng.chea C-Weng C
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: