Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8270

Using client_credentials Grant type with openid scope returns User must be authenticated to issue ID tokens.

    Details

    • Sprint:
      AM Sustaining Sprint 16, AM Sustaining Sprint 17, AM Sustaining Sprint 41
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      Set up an OpenID environment

      Send the following request:

      curl -X POST -d 'grant_type=client_credentials&scope=openid&client_id=MyClientId&client_secret=password' "http://openam.example.com:58080/openam/oauth2/access_token" -v

      Returns

      {"error":"server_error","error_description":"User must be authenticated to issue ID tokens."}

      OAuth2Provider debug:

      WARNING: Error authenticating user against OpenAM:
      com.iplanet.sso.SSOException: Invalid session ID.
      at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:131)
      at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:296)
      at org.forgerock.openam.oauth2.OpenAMResourceOwnerSessionValidator.validate(OpenAMResourceOwnerSessionValidator.java:141)
      at org.forgerock.openidconnect.OpenIDTokenIssuer.issueToken(OpenIDTokenIssuer.java:82)
      at org.forgerock.openam.oauth2.OpenAMScopeValidator.additionalDataToReturnFromTokenEndpoint(OpenAMScopeValidator.java:454)
      at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.additionalDataToReturnFromTokenEndpoint(OpenAMOAuth2ProviderSettings.java:469)
      at org.forgerock.oauth2.core.ClientCredentialsGrantTypeHandler.handle(ClientCredentialsGrantTypeHandler.java:84)
      at org.forgerock.oauth2.core.GrantTypeHandler.handle(GrantTypeHandler.java:82)
      at org.forgerock.oauth2.core.AccessTokenServiceImpl.requestAccessToken(AccessTokenServiceImpl.java:92)
      at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:87)
      at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

      Using other scopes (profile) works correctly and get expected output:

      {"scope":"profile","expires_in":3599,"token_type":"Bearer","access_token":"db85e5ee-4134-451b-b5cb-e93d00dbd371"}

      Using different Grant types for the openid scope works as expected.

      Debug attached.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                joe.starling Joe Starling
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 3h
                  3h
                  Remaining:
                  Time Spent - 2h Remaining Estimate - 1h
                  1h
                  Logged:
                  Time Spent - 2h Remaining Estimate - 1h
                  2h