Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5197

OAuth2 client fails to add access_token to tokeninfo call


    • Sprint:
      Sprint 74 - Team Tesla, Sprint 75 - Team Tesla



      1. configure OpenAM as the authz server
      2. configure OpemAM as oauth2 client
      3. Create a oauth2 authentication module.
      4. For User Profile Service URL, configure it to point to tokeninfo. e.g: http://demo.idp.com:8080/openam/oauth2/tokeninfo
      5. Use cn for scope.
      6. Use cn for account and attribute mapping.
      7. register the oauth2 client from above with authz server.
      8. Use cn for scope here too.

      Try to access the client, with authentication module configured for the client.


      The user gets redirected to authz server. Consent page shows up after successful authentication, it gets redirected back to oauth client, but fails to log in with error message on page :

      "Unable to login to OpenAM"


      Apparently, the access token is missing when the request to tokeninfo endpoint is made:

      service url: http://demo.idp.com:8080/openam/oauth2/tokeninfo
      amAuth:12/03/2014 11:28:12:645 AM PST: Thread[http-bio-8080-exec-3,5,main]
      OAuth.getContentStreamByGET: HTTP Conn Error:
      Response code: 400
      Response message: Bad Request
      Error stream:

      {"error":"invalid_request","error_description":"Missing access_token"}

      amAuth:12/03/2014 11:28:12:645 AM PST: Thread[http-bio-8080-exec-3,5,main]
      OAuth.getContentStreamByPOST: URL = http://demo.idp.com:8080/openam/oauth2/tokeninfo
      amAuth:12/03/2014 11:28:12:645 AM PST: Thread[http-bio-8080-exec-3,5,main]
      OAuth.getContentStreamByPOST: Query: null
      amLoginModule:12/03/2014 11:28:12:646 AM PST: Thread[http-bio-8080-exec-3,5,main]
      SETTING Failure Module name.... :fed

      This leads to NPE:

      javax.security.auth.login.LoginException: java.lang.NullPointerException
      at java.io.Writer.write(Writer.java:157)
      at org.forgerock.openam.authentication.modules.oauth2.OAuth.getContentStreamByPOST(OAuth.java:715)
      at org.forgerock.openam.authentication.modules.oauth2.OAuth.getContentStreamByGET(OAuth.java:657)
      at org.forgerock.openam.authentication.modules.oauth2.OAuth.getContent(OAuth.java:585)
      at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:271)
      at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1023)
      at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1197)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      Tried it out with curl, by using the access token from logs and it works fine, returning "cn" , which is used to map accounts.

      curl http://demo.idp.com:8080/openam/oauth2/tokeninfo?access_token=3eec91ec-65ab-4209-a610-8b7d2853b6bf


      Also, replaced tokeninfo endpoint with userinfo. This might be okay with OpenID Connect flows, but not OAuth2. In this case, sub=id mapping would always create a new subject. Would help if we can return other parameters like email, cn etc. Now the response from userinfo :

      access_token: 6621150d-7e86-4562-9a87-64dc074dabe1
      amAuth:12/03/2014 12:16:09:255 PM PST: Thread[http-bio-8080-exec-8,5,main]
      service url: http://demo.idp.com:8080/openam/oauth2/userinfo
      amAuth:12/03/2014 12:16:09:288 PM PST: Thread[http-bio-8080-exec-8,5,main]
      OAuth.getContentStreamByGET: HTTP Conn OK
      amAuth:12/03/2014 12:16:09:289 PM PST: Thread[http-bio-8080-exec-8,5,main]
      OAuth.process(): Profile Svc response:


      amAuth:12/03/2014 12:16:09:304 PM PST: Thread[http-bio-8080-exec-8,5,main]


      amAuth:12/03/2014 12:16:09:305 PM PST: Thread[http-bio-8080-exec-8,5,main]
      defaultAttributeMapper.getAttributes: id:sub




            • Assignee:
              jaco.jooste Jaco Jooste
              tuhin.kumar Tuhin Kumar [X] (Inactive)
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: