[OPENAM-11402] OpenAM does not enforce OAuth2 spec for "Resource Owner Password Credentials Grant" flow Created: 17/Jul/17  Updated: 21/Apr/20  Resolved: 09/Nov/17

Status: Resolved
Project: OpenAM
Component/s: oauth2
Affects Version/s: 13.0.0, 13.5.0
Fix Version/s: 13.5.2, 6.0.0, 5.5.2

Type: Bug Priority: Major
Reporter: Bernhard Thalmayr Assignee: Sam Fraser
Resolution: Fixed Votes: 0
Labels: Customer, EDISON
Remaining Estimate: 0h
Time Spent: 6h
Original Estimate: 4h

Issue Links:
Relates
is related to OPENAM-7276 OAuth2 Password grant_type flow ignor... Resolved
is related to OPENAM-15349 Access Token request returns a 500 error Closed
Target Version/s:
Sprint: AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 43, AM Sustaining Sprint 44
Story Points: 3
Needs backport:
No
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
No
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

OpenAM accepts Resource Owner credentials as part of the query string

How to reproduce the issue

Configure OAuth2 provider and OAuth2 client

Perform Resource Owner Password Credential Grant flow, but specify parameter username and password as part of the query string instead of the POST body.

Expected behaviour
OpenAM should respond  with an error code as the spec says


4.3.2.  Access Token Request

   The client makes a request to the token endpoint by adding the
   following parameters using the "application/x-www-form-urlencoded"
   format per Appendix B with a character encoding of UTF-8 in the HTTP
   request entity-body:

   grant_type
         REQUIRED.  Value MUST be set to "password".
   username
         REQUIRED.  The resource owner username.
   password
         REQUIRED.  The resource owner password.
   scope
         OPTIONAL.  The scope of the access request as described by
         Section 3.3.
Current behaviour
OpenAM issues access token


 Comments   
Comment by Jonathan Thomas [ 26/Jul/17 ]

Pulling into Sprint for investigation

Comment by Sam Fraser [ 02/Aug/17 ]

QA test case Curl commands.

Before fix (both work):

$ curl --request POST --user OAuth2Client:password --data "grant_type=password&username=user3&password=qwerty12&realm=/" http://sam.example.com:8080/openam/oauth2/access_token
{"scope":"read","expires_in":3599,"token_type":"Bearer","access_token":"fc218289-6207-4d77-9d3a-1d072ccd03ea"}

 

$ curl --request POST --user OAuth2Client:password --data "grant_type=password&realm=/" "http://sam.example.com:8080/openam/oauth2/access_token?grant_type=password&username=user3&password=qwerty12"
{"scope":"read","expires_in":3599,"token_type":"Bearer","access_token":"e001e436-3006-4399-9d02-f542619ebf9c"}

 

After fix (only postdata works):

$ curl --request POST --user OAuth2Client:password --data "grant_type=password&username=user3&password=qwerty12&realm=/" http://sam.example.com:8080/openam/oauth2/access_token
{"scope":"read","expires_in":3599,"token_type":"Bearer","access_token":"fc218289-6207-4d77-9d3a-1d072ccd03ea"}

 

$ curl --request POST --user OAuth2Client:password --data "grant_type=password&realm=/" "http://sam.example.com:8080/openam/oauth2/access_token?grant_type=password&username=user3&password=qwerty12"
{"error":"invalid_request","error_description":"Missing parameter, 'username'"}

Comment by Sam Fraser [ 09/Nov/17 ]

QA steps noted in the comments

Comment by Ľubomír Mlích [ 05/Apr/18 ]

Reproduced on OpenAM 13.5.1 Build 15db0458c8 (2017-July-21 10:54)
Verified on OpenAM 13.5.2-RC4 Build 2e9f6e8051 (2018-March-16 11:29)

There is however different error message:

{"error_description":"Resource owner authentication failed","error":"invalid_grant"}
Comment by Ľubomír Mlích [ 16/May/18 ]

Reproduced on ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41)
Verified on ForgeRock Access Management 5.5.2-M1 Build 666f90e040 (2018-May-15 14:37)

Generated at Fri Nov 27 06:18:19 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.