Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9940

OpenID Authorization Code Flow fails to get sessionID from request in 12.0.4

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 12.0.4
    • Fix Version/s: 12.0.5
    • Component/s: oauth2
    • Labels:
    • Sprint:
      AM Sustaining Sprint 30
    • Support Ticket IDs:

      Description

      Steps to reproduce using tomcat 7 OpenAM 12.0.4
      This does not affect 12.0.3 or 13.0.0 and 13.5.0

      1) Configure Oauth provider using common tasks and create a Oauth2 agent - specifying OpenID scope.

      2) Make authorization request to get Authorization code

      http://openam.example.com:8080/openam/oauth2/authorize?response_type=code&scope=openid&client_id=myoauthclient&redirect_uri=https%3A%2F%2Fwww.google.co.uk
      

      3) Click allow on consent page and copy auth code.
      4) Use auth code to request access token using curl

      curl -X POST --user "myoauthclient:password" -H "Cache-Control: no-cache" -d 'grant_type=authorization_code&code=a..13&redirect_uri=https%3A%2F%2Fwww.google.co.uk' http://openam.example.com:8080/openam/oauth2/access_token

      Expected result:
      Access code is returned

      Observed result:
      The server returns the following error

      400 Bad Request 
      {"error_description":"User must be authenticated to issue ID tokens.","error":"server_error"}
      
      • in the log
      message: User must be authenticated to issue ID tokens. 
      stack trace: 
      org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired: The request requires a redirect. 
      at org.forgerock.openam.oauth2.OpenAMResourceOwnerSessionValidator.authenticationRequired(OpenAMResourceOwnerSessionValidator.java:282)
      at org.forgerock.openam.oauth2.OpenAMResourceOwnerSessionValidator.validate(OpenAMResourceOwnerSessionValidator.java:190) 
      at org.forgerock.openidconnect.OpenIDTokenIssuer.issueToken(OpenIDTokenIssuer.java:81) 
      at org.forgerock.openam.oauth2.OpenAMScopeValidator.additionalDataToReturnFromTokenEndpoint(OpenAMScopeValidator.java:323) 
      at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.additionalDataToReturnFromTokenEndpoint(OpenAMOAuth2ProviderSettings.java:453) 
      at org.forgerock.oauth2.core.AuthorizationCodeGrantTypeHandler.handle(AuthorizationCodeGrantTypeHandler.java:146) 
      at org.forgerock.oauth2.core.AccessTokenServiceImpl.requestAccessToken(AccessTokenServiceImpl.java:88) 
      at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:79) 
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) 
      at java.lang.reflect.Method.invoke(Unknown Source) 
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jonthomas Jonathan Thomas
                Reporter:
                jonthomas Jonathan Thomas
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: