Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7170

Password grant type can't be used with scope openid

    Details

    • Sprint:
      Sprint 97 - Team Tesla

      Description

      The password grant type works fine until you use the scope "openid"

      With the openid scope, OpenAM tries to validate the sso token, but this grant type is session less (the session is created and immediately destroyed).

      For reproducing the issue, just setup an oauth2 with the scope "profile" and "openid".

      Then, try to get an access token:

      curl \
       --request POST \
       --user "myClientID:changeit" \
       --data "grant_type=password&username=demo&password=changeit&scope=openid%20profile" \
       http://openam.example.com:18080/openam/oauth2/access_token
      

      You will get:

       {"error":"server_error","error_description":"User must be authenticated to issue ID tokens."}
      

      The main reason is that, in OpenIDTokenIssuer, we call

      resourceOwner = resourceOwnerSessionValidator.validate(request);
      

      which throw an exception as the sso token is null.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jamesphillpotts James Phillpotts
                Reporter:
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: