Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9440

RS256 tokenInfo does not work after upgrade from 13.0.0 to 13.5

    Details

      Description

      RS256 tokenInfo does not work after upgrade from 13.0.0 to 13.5. I am not able to reproduce this case with upgrade 12.0.3 to 13.5.

      This issue cause failure for the test com.forgerock.openam.functionaltest.oauth2.openidconnect.IDTokenInfoEndpoint - when the client signing algorithm is RS256

      When the token is reading it causes 400

      Request method:	POST
      Request path:	http://riso-centos7.test.forgerock.com:8080/openam/oauth2/idtokeninfo
      Request params:	id_token=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogIlN5bExDNk5qdDFLR1FrdEQ5TXQrMHpjZVFTVT0iIH0.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICJnZW5lcmF0ZWQtaWQtb25sTGtCRXVWUUc3bG0zIiwgInN1YiI6ICJnZW5lcmF0ZWQtdXNlcm5hbWUtNDZXdER6c1laSlk3V0g2IiwgImF0X2hhc2giOiAieXdqakpWWnh0aHRjem90Q3FvMTZrdyIsICJpc3MiOiAiaHR0cDovL3Jpc28tY2VudG9zNy50ZXN0LmZvcmdlcm9jay5jb206ODA4MC9vcGVuYW0vb2F1dGgyL2dlbmVyYXRlZC1IWUdpakx4c21hemdhTXAiLCAib3JnLmZvcmdlcm9jay5vcGVuaWRjb25uZWN0Lm9wcyI6ICI5MTUxZGMyNi00MDUxLTQ1M2MtOWIzYS03NjI1MTAwZGE0MWMiLCAiaWF0IjogMTQ2ODU4NjI5MywgImF1dGhfdGltZSI6IDE0Njg1ODYyOTMsICJleHAiOiAxNDY4NTg5ODkzLCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgImF1ZGl0VHJhY2tpbmdJZCI6ICJlZmFiNjA0Mi01YjY5LTQzNzgtODFjZC05MDM1NjI3OTQ4ZGMtMzA0IiwgInJlYWxtIjogIi9nZW5lcmF0ZWQtSFlHaWpMeHNtYXpnYU1wIiwgImF1ZCI6ICJnZW5lcmF0ZWQtaWQtb25sTGtCRXVWUUc3bG0zIiB9.PFaO9H-Nx0wfeByy_RqrQXhj6S2o_qmla-EtxRsuDs2afRmPWJNc6YwOxvJmYRZZyUFVVJk0fEQGKvPoetOV-hFaLVunUsUYuycGweMFgiXWs6-_xfMRjyARgB7BR52WSQPTnhAaPc_hsAHxH0mBAjdmnmD6MfjY_pq1uYhXSyo
      				client_secret=generated-secret-MLF4K1MNxKSUnD6
      				client_id=generated-id-onlLkBEuVQG7lm3
      Query params:	<none>
      Form params:	<none>
      Path params:	<none>
      Headers:		Content-Type=*/*
      Cookies:		<none>
      Body:			<none>
      

      Observed response

      HTTP/1.1 400 Bad Request
      Date: Fri, 15 Jul 2016 12:38:14 GMT
      Accept-Ranges: bytes
      Server: Restlet-Framework/2.3.4
      Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
      Content-Type: application/json
      Transfer-Encoding: chunked
      Connection: close
      
      {
          "error": "server_error",
          "error_description": "server_error"
      }
      

      Expected response

      {
          "tokenName": "id_token",
          "azp": "generated-id-vlhg55vpwpni5BW",
          "sub": "generated-username-WpBYz7G7DdB1HpU",
          "at_hash": "HvCSUI_fb1WRRpyVYjUHvg",
          "iss": "http://centos6-64.example.com:9080/openam/oauth2/generated-K1lKDwDOwdHjI1z",
          "org.forgerock.openidconnect.ops": "109b3946-a327-4baa-b941-6755dec688c0",
          "iat": 1468580796,
          "auth_time": 1468580796,
          "exp": 1468584396,
          "tokenType": "JWTToken",
          "auditTrackingId": "509ae356-9e42-4b98-a467-b1952da8147b-838",
          "realm": "/generated-K1lKDwDOwdHjI1z",
          "aud": "generated-id-vlhg55vpwpni5BW"
      }
      
      Oauth2 provider debug log
      OAuth2Provider:07/15/2016 01:33:07:380 PM BST: Thread[http-bio-8080-exec-5,5,main]: TransactionId[303ca915-5ae9-4bbd-806f-f8f1a5635bf4-2383]
      ERROR: Unable to get Client Bearer Jwt Public key from repository
      No Client Bearer Jwt Public key certificate set (400) - The authorization server encountered an unexpected condition which prevented it from fulfilling the request.
      	at org.forgerock.openam.oauth2.OAuthProblemException$OAuthError.handle(OAuthProblemException.java:146)
      	at org.forgerock.openam.oauth2.OpenAMClientRegistration.byX509Key(OpenAMClientRegistration.java:779)
      	at org.forgerock.openam.oauth2.OpenAMClientRegistration.verifyJwtIdentity(OpenAMClientRegistration.java:676)
      	at org.forgerock.openidconnect.restlet.IdTokenInfo.validateIdToken(IdTokenInfo.java:168)
      	at org.forgerock.openidconnect.restlet.IdTokenInfo.validateIdToken(IdTokenInfo.java:114)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:606)
      	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:520)
      	at org.restlet.resource.ServerResource.post(ServerResource.java:1377)
      	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:620)
      	at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:678)
      	at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:356)
      	at org.restlet.resource.ServerResource.handle(ServerResource.java:1043)
      	at org.restlet.resource.Finder.handle(Finder.java:236)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:121)
      	at org.restlet.routing.Router.handle(Router.java:639)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      	at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:75)
      	at org.restlet.Application.handle(Application.java:385)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.restlet.routing.Router.handle(Router.java:639)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.routing.Router.doHandle(Router.java:422)
      	at org.restlet.routing.Router.handle(Router.java:639)
      	at org.restlet.routing.Filter.doHandle(Filter.java:150)
      	at org.restlet.routing.Filter.handle(Filter.java:197)
      	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
      	at org.restlet.Component.handle(Component.java:408)
      	at org.restlet.Server.handle(Server.java:507)
      	at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
      	at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
      	at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
      	at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:130)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
      	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
      	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      	at java.lang.Thread.run(Thread.java:745)
      
      IdRepo debug log
      amAgentsRepo:07/15/2016 01:33:10:597 PM BST: Thread[smIdmThreadPool,5,main]: TransactionId[303ca915-5ae9-4bbd-806f-f8f1a5635bf4-87]
      ERROR: AgentsRepo.sendNotificationSet(): Unable to send notification due to Message:Plug-in com.sun.identity.idm.plugins.internal.AgentsRepo: Unable to read attributes.
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                richard.hruza Richard Hruza
                QA Assignee:
                Richard Hruza
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: