Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4076

Upgrade 11.x->12 cannot successfully migrate configured OAuth2 clients

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 12.0.0
    • 12.0.0, 13.0.0
    • documentation, upgrade
    • None
    • Rank:
      1|hzoha7:
    • 0
    • No
    • None

    Description

      The fix for OPENAM-3738 means that the OAuth2 client agent passwords are no longer hashed as part of LDAP read/write - this was necessary to get the hmac signing of OpenID Connect tokens to work properly, as these tokens must be signed by the plain-text client password. However, this will mean that OAuth2 clients configured in 11.x will not work when upgrade occurs to 12.x, as the 11.x passwords were stored in hashed-and-encrypted format, and are stored in encrypted format in 12.x (no hash applied). Unfortunately, there is no technical fix, as a hash is a one-way function, and can't be undone (reasonably at least - that's the whole point of a hash function). So this means that existing passwords cannot be migrated from 11.x to 12.x. This issue will almost certainly be handled via documentation - users will be instructed to re-create any existing OAuth2 clients.

      Attachments

        Activity

          People

            Mark Mark Craig
            dhogan Dirk Hogan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: