Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-15546

Access token containing subject not found by rsFilter results in anonymous

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.0, 7.0.1
    • Fix Version/s: 7.1.0
    • Labels:
    • Target Version/s:
    • Story Points:
      2
    • Sprint:
      2020.13 - IDM, 2020.14 - IDM

      Description

      1) Create a new oauth 2 client (test_id) in AM, with a client secret (test_secret), and update "Grant Types" for this client to include "Client Credentials". Be sure "fr:idm:*" is listed as a scope.

      2) Make a client credential grant using your new client:

      curl -u test_id:test_secret --data 'grant_type=client_credentials&scope=fr:idm:*'  https://default.iam.forgeops.com/am/oauth2/access_token
      
      {"access_token":"60WGcMwJbuwAC__TProLBm8vsVo","scope":"fr:idm:*","token_type":"Bearer","expires_in":3599}
      

      3) Introspect the above access token:

      curl -u test_id:test_secret --data 'token=60WGcMwJbuwAC__TProLBm8vsVo' https://default.iam.forgeops.com/am/oauth2/introspect
      
      {
        "active": true,
        "scope": "fr:idm:*",
        "realm": "/",
        "client_id": "test_id",
        "user_id": "test_id",
        "token_type": "Bearer",
        "exp": 1601074642,
        "sub": "test_id",
        "iss": "http://default.iam.forgeops.com:80/am/oauth2",
        "authGrantId": "u9aplCY3Y_GpVCm76WEKWV0qv-A",
        "auditTrackingId": "8793473d-e94c-4262-b1d5-24c8886e8a01-8076"
      }
      

      As you can see, the subject is "test_id". Presumably, this subject is not valid in your local IDM-with-rsFilter setup.

      4) Submit the token to IDM:

      curl -H 'Authorization: Bearer 60WGcMwJbuwAC__TProLBm8vsVo' https://default.iam.forgeops.com/openidm/info/login
      

      Expected result:
      401 - user not authenticated

      Actual result:
      200:

      {"_id":"login","authenticationId":"anonymous","authorization":{"id":"anonymous","roles":["internal/role/openidm-reg"],"component":"internal/user"}}
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jbranch Jon Branch
                Reporter:
                jake.feasel Jake Feasel
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: