[OPENAM-10584] Supported claims and scopes in OAuth2|OpenID provider are not hot swappable Created: 09/Feb/17  Updated: 18/Mar/19

Status: Open
Project: OpenAM
Component/s: oauth2, OpenID Connect
Affects Version/s: 13.5.0, 14.0.0
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Quentin CASTEL [X] (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: AME, Should-Fix
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified



If you modify the Supported scopes or Supported claims in the OAuth2|OpenID provider, you will need to restart OpenAM

How to reproduce

  • Create an OAuth2|openid provider
  • Create an OAuth2 client
  • Do an OAuth2 request
curl -X POST -H "Accept: application/x-www-form-urlencoded" -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -H "Postman-Token: 2f339795-3e61-f041-6ec6-0db7b4aa61d7" -d 'client_id=myClientID&client_secret=password&grant_type=password&username=demo&password=changeit&scope=profile openid&claims= {    "userinfo":     {      "given_name": {"essential": true}%2C      "name": null%2C      "email": {"essential": true}%2C     }%2C    "id_token":     {      "azp": {"essential": true}%2C     }   }' "http://openam.example.com:14080/openam/oauth2/access_token"

the azp is not in the supported claims by default, therefore it fails (that's correct behaviour).

  • Then add the azp in the supported claims
  • try the request again:

Expected result

You don't get the error "Requested claims must be allowed by the client's configuration"

Actual result

  "error_description": "Requested claims must be allowed by the client's configuration",
  "error": "invalid_request"

Code investigation

RealmOAuth2ProviderSettings is not implementing a listener but is implementing a cache system, especially for those two attributes:

    private Set<String> supportedScopesWithoutTranslations;
    private Set<String> supportedClaimsWithoutTranslations;

I'm also seeing a third one, more generic:

    private final Map<String, Set<String>> attributeCache = new HashMap<String, Set<String>>();

So I'm suspecting scopes and claims are not the only one affected.

Generated at Sun Sep 27 20:17:32 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.