Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-953

ClientRegistration defined in heap cannot be referenced by OAuth2ClientFilter

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.0.0
    • Fix Version/s: 4.5.0, 5.0.0
    • Component/s: None
    • Labels:
    • Environment:
      OS : OSX 10.11.3
      container : Tomcat 8.0.23
      jdk : 1.8.0_73
    • Sprint:
      OpenIG Sprint 80, OpenIG Sprint 81
    • Flagged:
      Impediment

      Description

      Backward compatibility issue : due to the fix of OPENIG-712 (or more probably OPENIG-581), any ClientRegistration defined in the heap is no more available within the OAuth2ClientFilter.
      Consequently, the following error is logged :

      WARNING Portal --- error="invalid_request", error_description="Authorization OpenID Connect Provider 'myClientRegistration' was not recognized"
      

      Configuration generating the error :

      {
          "condition": "${matches(request.uri.path, '^/static')}", 
          "handler": "dispatcher", 
          "heap": [
              {
                  "config": {
                      "bindings": [
                          {
                              "handler": {
                                  "config": {
                                      "filters": [
                                          {
                                              "MyCapture": "all", 
                                              "config": {
                                                  "clientEndpoint": "/static", 
                                                  "failureHandler": {
                                                      "config": {
                                                          "comment": "Trivial failure handler for debugging only", 
                                                          "entity": "An error occurred:  ${contexts.attributes.attributes.openid.error.error_description} (${contexts.attributes.attributes.openid.error.error})", 
                                                          "reason": "Error", 
                                                          "status": 500
                                                      }, 
                                                      "type": "StaticResponseHandler"
                                                  }, 
                                                  "loginHandler": "NascarPage", 
                                                  "metadata": {
                                                      "client_name": "My Example", 
                                                      "redirect_uris": [
                                                          "http://openig.example.com:18080/static/callback"
                                                      ], 
                                                      "scopes": [
                                                          "openid", 
                                                          "profile", 
                                                          "email"
                                                      ]
                                                  }, 
                                                  "requireHttps": false, 
                                                  "requireLogin": true, 
                                                  "target": "${contexts.attributes.attributes.openid}"
                                              }, 
                                              "name": "Portal", 
                                              "type": "OAuth2ClientFilter"
                                          }
                                      ], 
                                      "handler": {
                                          "comment": "Displays the user info after logging.", 
                                          "config": {
                                              "file": "DumpExchange.groovy", 
                                              "type": "application/x-groovy"
                                          }, 
                                          "name": "displayer", 
                                          "type": "ScriptableHandler"
                                      }
                                  }, 
                                  "name": "MyChain", 
                                  "type": "Chain"
                              }
                          }
                      ]
                  }, 
                  "name": "dispatcher", 
                  "type": "DispatchHandler"
              }, 
              {
                  "config": {
                      "entity": "
      <html>
          <head>
              <style>body { background-color: white; margin-left: 25%; margin-top: 25px; }img { padding: 10px; }a { margin-top: 20px; }i { font-size: 9px; }ul { width:760px; margin-bottom:20px; overflow:hidden; }li { float:left; display:inline; }static_issuers { display:inline; }discovery_and_dynamic_registration { display:none; }#double li  { width:50%; }</style>
          </head>
          <body>
              <section>
                  <static_issuers>
                      <h1>Use static providers declared in configuration file</h1>
                      <p>Select a provider by clicking on the image below: </p>
                      <ul id=\"nascarpage_static_issuers\">
                          <li>
                              <a href=\"/static/login?registration=openamPortal&amp;goto=${contexts.router.originalUri}\">
                                  <img id=\"openam_login\" src=\"/img/openam_resized.png\"/>
                              </a>
                          </li>
                      </ul>
                  </static_issuers>
                  <discovery_and_dynamic_registration>
                      <h1>Use discovery and dynamic client registration</h1>
                      <p>
                          Or choose another one by typing his host or directly your email address :
                          <form action=\"/static/login?\">
                              <input id=\"discovery_area\" name=\"discovery\" size=\"35\" type=\"text\" value=\"http://app.example.com:8080\"/>
                              <input name=\"goto\" type=\"hidden\" value=\"${contexts.router.originalUri}\"/>
                              <i>
                                  See 
                                  <a href=\"http://openid.net/specs/openid-connect-discovery-1_0.html\">OpenID Connect Discovery</a>
                                   for valid input
                              </i>
                          </form>
                      </p>
                      <p>${contexts.attributes.attributes.error}</p>
                  </discovery_and_dynamic_registration>
              </section>
          </body>
      </html>
      ", 
                      "status": 200
                  }, 
                  "name": "NascarPage", 
                  "type": "StaticResponseHandler"
              }, 
              {
                  "config": {
                      "file": "/tmp/openig/log_and_captures/openig_log.txt", 
                      "level": "DEBUG"
                  }, 
                  "name": "CaptureLogSink", 
                  "type": "FileLogSink"
              }, 
              {
                  "config": {
                      "captureEntity": true, 
                      "captureExchange": true, 
                      "logSink": "CaptureLogSink"
                  }, 
                  "name": "MyCapture", 
                  "type": "CaptureDecorator"
              }, 
              {
                  "config": {
                      "clientId": "clientOIDC", 
                      "clientSecret": "password", 
                      "issuer": "OpenAM", 
                      "scopes": [
                          "openid", 
                          "profile", 
                          "email"
                      ], 
                      "tokenEndpointUseBasicAuth": true
                  }, 
                  "name": "openamPortal", 
                  "type": "ClientRegistration"
              }, 
              {
                  "config": {
                      "wellKnownEndpoint": "http://openam.example.com:8081/openam/oauth2/.well-known/openid-configuration"
                  }, 
                  "name": "OpenAM", 
                  "type": "Issuer"
              }
          ]
      }
      

      Test in PyForge :

      python run-pybot.py -s oidc -t UI_Static_Client_Registration_Should_Succeed -n openig
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                violette Violette Roche Montane
                Reporter:
                jcdevil Jean-Charles Deville
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: