Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7260

OAuth2 authorization flow sets wrong resource owner if alias name + LDAP auth is used.

    Details

    • Sprint:
      AM Sustaining Sprint 14
    • Support Ticket IDs:

      Description

      Steps :

      1. login to admin console
      2. click [Access Control] -> realm -> [Authentication] -> "All Core Settings ..."
      3. add "cn" to [Alias Search Attribute Name" list
      4. click "Save" button and logout
      5. start "control-panel" under $OPENAM_HOME/opends/bin
      6. add new user entry with "cn" as naming attribute.
      7. access login screen with "module=LDAP"
      http://<host>:<port>/openam/UI/Login?realm=/myjwt&module=LDAP
      8. login
      9. access authorization page
      http:///<host>:<port>/openam/oauth2/authorize?client_id=myClientID&scope=cn&redirect_uri=http%3A%2F%2F<host>%3A<port>%2Fopenam%2Foauth2c%2FOAuthProxy.jsp&response_type=code
      10. use access token to get user info
      curl -H 'Authorization: Bearer 3c4c1df7-a4d6-43f8-bf24-6e083f83a8a9' http://openam.example.com:18080/opensso/oauth2/userinfo?realm=/myjwt
      11. you will get

      {"error":"unauthorized_client","error_description":"Not able to get client from OpenAM"}
      OAuth2Provider:10/28/2015 02:25:48:745 PM EDT: Thread[http-nio-8080-exec-4,5,main]
      ERROR: Unable to get client AMIdentity:
      java.lang.UnsupportedOperationException: Realm parameter only OAuth2Request
              at org.forgerock.openam.oauth2.IdentityManager$1.getRequest(IdentityManager.java:93)
              at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettingsFactory.get(OpenAMOAuth2ProviderSettingsFactory.java:63)
              at org.forgerock.openam.oauth2.IdentityManager.getResourceOwnerIdentity(IdentityManager.java:91)
              at org.forgerock.openam.oauth2.OpenAMScopeValidator.getUserInfo(OpenAMScopeValidator.java:169)
              at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.getUserInfo(OpenAMOAuth2ProviderSettings.java:417)
              at org.forgerock.openidconnect.UserInfoServiceImpl.getUserInfo(UserInfoServiceImpl.java:88)
              at org.forgerock.openidconnect.restlet.UserInfo.getUserInfo(UserInfo.java:76)
              at sun.reflect.GeneratedMethodAccessor103.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:606)
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:503)
              at org.restlet.resource.ServerResource.get(ServerResource.java:707)
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:589)
              at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:649)
              at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
              at org.restlet.resource.ServerResource.handle(ServerResource.java:952)
      
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                sachiko Sachiko Wallace
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0h
                  0h
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h
                  2h