Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7334

Client Authentication method not compliant with OpenID standard

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.0, 12.0.1, 12.0.2, 12.0.3
    • Fix Version/s: 13.0.0
    • Component/s: OpenID Connect
    • Labels:

      Description

      Description of the issue

      In the OpenID standard, the client authentication method can be defined in the configuration of the oauth2 provider (here OpenAM).
      if not, the "client_secret_basic" will be used.

      http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

      In the OpenAM 12 agent profile, the client authentication method can't be defined, therefore the "client_secret_basic" should be used.

      However, OpenAM 12 doesn't check the method used.

      How to reproduce the issue

      It means that, if we take for example this request should failed, as it used the "client_secret_post" method:

      curl \
       --request POST \
       --data "client_id=myClientID&password=myClientID:changeit&grant_type=password&username=demo&password=changeit&scope=openid%20profile" \
       http://openam.example.com:18080/openam/oauth2/access_token
      

      instead, you will get the access token.

      Solution:

      To be compliant with the standard in 12, use the method "client_secret_basic" , like:

      curl \
       --request POST \
       --user "myClientID:changeit" \
       --data "grant_type=password&username=demo&password=changeit&scope=openid%20profile" \
       http://openam.example.com:18080/openam/oauth2/access_token
      

      Note for people upgrading from 12 to 13:

      As 12 allows request that are not compliant with the standard, you may have some requests failing when upgrading to 13.
      You will have an error like:

      {"error":"invalid_client","error_description":"Invalid authentication method for accessing this endpoint."}
      

      As explain above, that's not a regression in 13 but a correction made in 13 to be compliant with the standard.
      In 13, you can configure the client authentication method in the agent profile.
      Therefore, for correcting this error, you can:

      • select the appropriate client authentication method in the agent profile
      • correct your request to use the client authentication method defined in the agent profile.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              quentin.castel Quentin CASTEL [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: