Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18396

value for 'sub' claim differs when auth trees or auth chains are used

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Blocker
    • Resolution: Unresolved
    • None
    • None
    • Oracle HotSpot JVM 1.8.0_201-b09
      Apache Tomcat 9.0.8
      ForgeRock AM 6.5.2.3
    • Rank:
      1|i05uoe:

      Description

      Bug description

      The value of the 'sub' claim in OAuth2 stateless access tokens or OIDC id tokens differs when using auth trees or auth chains

      How to reproduce the issue

      1. Configure AM 6.5.2.3 with embedded DS as identity store
      2. Create sub-realm '/sub1'
      3. Set 'cn' as value for 'LDAP Users Search Attribute' in identity store config in sub-realm '/sub1'
      4. Set value of the 'cn' attribute for the 'demo' user to a different value than the one for the 'uid' attribute
      5. Configure AM 6.5.2.3 as OIDC provider in sub-realm '/sub1'
      6. Configure some OAuth2 client in sub-realm '/sub1'
      7. Configure OAuth2 provider to issue stateless OAuth2 access tokens
      8. Configure simple authentication chain 'datastoreService' leveraging DataStore auth module in sub-realm '/sub1'
      9. Configure simple authentication tree 'datastoreTree' leveraging PageNode, Username Collector Node, Password Collector Node, DataStore Decision Node
      10. Open private browser window
      11. Perform service based auth for auth chain 'http://am6523.test.xyz:8080/am/XUI/#login/&realm=/sub1&service=datastoreService'
      12. Authenticate with 'demo' user
      13. Perform OIDC authorization code flow
      14. Check value of the 'sub' claim in stateless OAuth2 access toke and OIDC id token
      15. Open another private browser window
      16. Perform service based auth for auth tree 'http://am6523.test.xyz:8080/am/XUI/#login/&realm=/sub1&service=datastoreTree'
      17. Authenticate with 'demo' user
      18. Perform OIDC authorization code flow
      19. Check value of the 'sub' claim in stateless OAuth2 access toke and OIDC id token
      Expected behaviour
      The value for the 'sub' claim should be identical for the same user, no matter which authentication type was used.
      
      Current behaviour
      The value of the 'sub' claim differs for the same user when different authentiation types are used.
      

      Note: As a side effect of https://bugster.forgerock.org/jira/browse/OPENAM-16522 this is fixed in AM 7.

        Attachments

          Issue Links

            Activity

              People

              Unassigned Unassigned
              bthalmayr Bernhard Thalmayr
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated: