Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7720

A refresh_token created with 12.0.2 cannot be used with 12.0.3

    Details

      Description

      Considering 2 OpenAM instances:

      • AM1 12.0.2 (tomme.internal.forgerock.com:8081)
      • AM2 12.0.3 (brie.internal.forgerock.com:8081)
        configured for OAuth2 on realm "myrealm")with the same external CTS DJ2.6.3

      OAuth2 service is configured with:

      • issue-refresh-token set to true
      • issue-refresh-token-on-refreshing-token set to false
      • refresh-token-lifetime set to 6 months

      If we generate a new access (and refresh) token on 12.0.2 with realm 'myrealm', i.e:

      curl --request POST --user clientOIDC:password --data grant_type='password&username=user.0&password=password&scope=openid' 'http://tomme.internal.forgerock.com:8081/openam/oauth2/access_token?realm=myrealm'
      

      The corresponding ldap entry in the DJ CTS is:

      dn: coreTokenId=1e68ab4a-f3ce-4d3b-b036-ad88cce11e88,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenObject: {"redirectURI":[],"acr":[],"clientID":["clientOIDC"],"expireTim
       e":["1464779690710"],"grant_type":["password"],"scope":["openid"],"tokenName":[
       "refresh_token"],"authModules":[],"realm":["myrealm"],"id":["1e68ab4a-f3ce-4d3b
       -b036-ad88cce11e88"],"userName":["user.0"],"tokenType":["Bearer"]}
      coreTokenString08: myrealm
      coreTokenString07: Bearer
      coreTokenType: OAUTH
      coreTokenString09: clientOIDC
      coreTokenString10: refresh_token
      coreTokenId: 1e68ab4a-f3ce-4d3b-b036-ad88cce11e88
      coreTokenExpirationDate: 20160601131450.710+0200
      coreTokenString12: password
      coreTokenString01: openid
      coreTokenString04: -empty-
      coreTokenString03: user.0
      

      The refresh_token can be used with the same AM12.0.2 to isseu a new access_token:

      curl --request POST --user clientOIDC:password --data grant_type='refresh_token&refresh_token=1e68ab4a-f3ce-4d3b-b036-ad88cce11e88' 'http://tomme.internal.forgerock.com:8081/openam/oauth2/access_token?realm=myrealm'
      {"access_token":"ce0e6f33-7f5e-4407-92c7-896bf5a87e82","scope":"openid","id_token":"eyAidHlwIjogIkpXVCIsICJraWQiOiAiNjUxYjZlMzMtNDIxOC00OGYyLWFhNDQtMjZmNzA3NDRiMTUyIiwgImN0eSI6ICJKV1QiLCAiYWxnIjogIlJTMjU2IiB9.eyAiYXRfaGFzaCI6ICIyc2J3RXJVY3QxQ2FNU1JsblhIdFRBIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHA6Ly90b21tZS5pbnRlcm5hbC5mb3JnZXJvY2suY29tOjgwODEvb3BlbmFtL29hdXRoMm15cmVhbG0iLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6IFsgImNsaWVudE9JREMiIF0sICJvcHMiOiAiMWJiNTIxZGYtZmEyYy00ODExLWE1NzctNDkyZGJkZjMwMGYwIiwgImF6cCI6ICJjbGllbnRPSURDIiwgImF1dGhfdGltZSI6IDE0NDkyMzEyOTMsICJyZWFsbSI6ICJteXJlYWxtIiwgImV4cCI6IDE0NDkyMzE4OTMsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ0OTIzMTI5MyB9.ZknT-44-aWERuMxU1CCNshUPuLBQXGsln8FEPh1P9pvPVWgI2UhJOypkEpkAJC9ymiv1ySL9U36NxZdCBMGeQhg2MrI5qF1GZNtLm6wNhmWKXJtEpJKWE86kibdVfRW_snozYdNtuWM2bXXl4pBmiQD-zbktsWclmGdNYNZJ-ck","token_type":"Bearer","expires_in":3599}
      

      but it it's not properly recognized by the AM12.0.3 instance, no matter if we specify realm 'myrealm' or '/myrealm'

      # curl --request POST --user clientOIDC:password --data grant_type='refresh_token&refresh_token=1e68ab4a-f3ce-4d3b-b036-ad88cce11e88' 'http://brie.internal.forgerock.com:8081/openam/oauth2/access_token?realm=myrealm'
      {"error_description":"grant is invalid","error":"invalid_grant"}
      
      curl --request POST --user clientOIDC:password --data grant_type='refresh_token&refresh_token=1e68ab4a-f3ce-4d3b-b036-ad88cce11e88' 'http://brie.internal.forgerock.com:8081/openam/oauth2/access_token?realm=/myrealm'
      {"error_description":"grant is invalid","error":"invalid_grant"}
      

      Indeed, it looks like 12.0.3 is always appending '/' to the realm, for instance when issuing a new access/refresh token:

      curl --request POST --user clientOIDC:password --data grant_type='password&username=user.0&password=password&scope=openid' 'http://brie.internal.forgerock.com:8081/openam/oauth2/access_token?realm=myrealm'
      dn: coreTokenId=00a9e049-1ac9-45e4-a1ca-0f7778486f4f,dc=com
      objectClass: top
      objectClass: frCoreToken
      coreTokenObject: {"redirectURI":[],"acr":[],"clientID":["clientOIDC"],"expireTim
       e":["1464783070976"],"grant_type":["password"],"scope":["openid"],"tokenName":[
       "refresh_token"],"authModules":[],"realm":["/myrealm"],"id":["00a9e049-1ac9-45e
       4-a1ca-0f7778486f4f"],"userName":["user.0"],"tokenType":["Bearer"]}
      coreTokenString01: openid
      coreTokenString12: password
      coreTokenString10: refresh_token
      coreTokenString04: -empty-
      coreTokenString03: user.0
      coreTokenExpirationDate: 20160601141110.976+0200
      coreTokenString08: /myrealm
      coreTokenString09: clientOIDC
      coreTokenId: 00a9e049-1ac9-45e4-a1ca-0f7778486f4f
      coreTokenType: OAUTH
      coreTokenString07: Bearer
      

      Note: 'myrealm' in the url has been converted to '/myrealm' in the ldap entry.

      That's probably why it's not able to validate any refresh_token created from 12.0.2 with real 'myrealm'

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rich.riley Rich Riley [X] (Inactive)
                Reporter:
                sberthol Sebastien Bertholet [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: