-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.0.0
-
Component/s: OpenID Connect
-
Labels:
Set up an OpenID environment
Send the following request:
curl -X POST -d 'grant_type=client_credentials&scope=openid&client_id=MyClientId&client_secret=password' "http://openam.example.com:58080/openam/oauth2/access_token" -v
Returns
{"error":"server_error","error_description":"User must be authenticated to issue ID tokens."}
OAuth2Provider debug:
WARNING: Error authenticating user against OpenAM:
com.iplanet.sso.SSOException: Invalid session ID.
at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:131)
at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:296)
at org.forgerock.openam.oauth2.OpenAMResourceOwnerSessionValidator.validate(OpenAMResourceOwnerSessionValidator.java:141)
at org.forgerock.openidconnect.OpenIDTokenIssuer.issueToken(OpenIDTokenIssuer.java:82)
at org.forgerock.openam.oauth2.OpenAMScopeValidator.additionalDataToReturnFromTokenEndpoint(OpenAMScopeValidator.java:454)
at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.additionalDataToReturnFromTokenEndpoint(OpenAMOAuth2ProviderSettings.java:469)
at org.forgerock.oauth2.core.ClientCredentialsGrantTypeHandler.handle(ClientCredentialsGrantTypeHandler.java:84)
at org.forgerock.oauth2.core.GrantTypeHandler.handle(GrantTypeHandler.java:82)
at org.forgerock.oauth2.core.AccessTokenServiceImpl.requestAccessToken(AccessTokenServiceImpl.java:92)
at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:87)
at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Using other scopes (profile) works correctly and get expected output:
{"scope":"profile","expires_in":3599,"token_type":"Bearer","access_token":"db85e5ee-4134-451b-b5cb-e93d00dbd371"}
Using different Grant types for the openid scope works as expected.
Debug attached.
- is related to
-
OPENAM-7170 Password grant type can't be used with scope openid
-
- Resolved
-