Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9533

DNS alias overrides the realm query parameter passed in the URL when requesting OAuth2 access token

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0, 13.5.0
    • Fix Version/s: 13.5.1
    • Component/s: oauth2
    • Labels:
    • Support Ticket IDs:

      Description

      Specifying a DNS alias appears to override the realm query parameter passed in the URL when requesting an OAuth2 access token.

      To reproduce currently observed behaviour on 13.0 or 13.5:

      1). Set up two realms 'abc' and 'xyz':

      /abc (with DNS alias entry abc.example.com)
      /xyz (with DNS alias entry xyz.example.com)
      

      Configure 'xyz' to use a standalone LDAP server for the datastore for testing.

      2). Verify the user in LDAP can login to the console in the 'xyz' realm but not to the abc realm.

      3). Setup an OAuth2 client in 'xyz' and then execute the following request:

      curl -X POST -u "oauth2client:Welcome1" -d "grant_type=password&username=test1&password=Welcome1&scope=mail" "http://xyz.example.com:8080/OpenAM-13.0.0/oauth2/access_token?realm=xyz" 
      
      {"access_token":"fa531e0b-1ed6-46ad-9838-84d2a5c8a1ec","scope":"mail","token_type":"Bearer","expires_in":3599}
      

      ...this is successful.

      4). Send the request to abc.example.com instead but specify the realm query parameter as xyz:

      curl -X POST -u "oauth2client:Welcome1" -d "grant_type=password&username=test1&password=Welcome1&scope=mail" "http://abc.example.com:8080/OpenAM-13.5.0/oauth2/access_token?realm=xyz" 
      
      {"error_description":"Configuration error","error":"server_error"}
      

      The following is seen in the CoreSystem log:

      ERROR: BaseURLProvider Configuration error: Realm /xyz is not a subrealm or same as /abc, from base url provider hostname abc.example.com as dns alias
      

      Expected behaviour:

      Specifying the realm query parameter should have precedence over the DNS alias.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                andy.itter Andy Itter
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: