Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8485

Resource owner password grant should continue along an auth chain when the first module fails due to being non-username/pwd based

    Details

    • Support Ticket IDs:

      Description

      Currently when the first module of the default authentication chain does not require username and password, requesting an access token with password grant flow fails.

      We should allow authentication to continue down the chain until it reaches an appropriate module.

      Current behaviour:

      • Create default authentication chain with WDSSO SUFFICIENT as the first module, DataStore REQUIRED as second.
      • Attempt login

        curl -X POST --user "myOauth2Client:oauth2client" --data "grant_type=password&username=demo&password=changeit&scope=openid" http://oauth2provider.example.net:48080/openam/oauth2/access_token -v

      • {"error":"server_error","error_description":"Internal Server Error"}

      Comments from OPENAM-4177:

      org/forgerock/openam/oauth2/provider/AbstractIdentityVerifier.java retrieves AuthContext and that has information about auth chain. The thing that's stopping AbstractIdentifier#authenticate from going through the chain is :

                      // there's missing requirements not filled by this
                      if (missing.size() > 0) {
                          throw new ResourceException(Status.SERVER_ERROR_INTERNAL,
                                  "Missing requirements");
                      }
      

      from /openam-oauth2/src/main/java/org/forgerock/openam/oauth2/OpenAMResourceOwnerAuthenticator.java.

      Adding an 'auth_chain' parameter can get around this successfully by specifying a different chain to use, however it is not compliant, and the authentication method should be transparent; the client should not know about different methods.

      Also attempted to use 'acr_values' parameter mapped to different authentication chains, as this is standards compliant. It works for the authorize endpoint, but not access_token.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                joe.starling Joe Starling
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: