[OPENAM-12898] DNS alias results in audience validation failure for clients authenticating using JWT Created: 12/Apr/18  Updated: 30/Jul/19  Resolved: 09/Aug/18

Status: Resolved
Project: OpenAM
Component/s: None
Affects Version/s: 5.5.1
Fix Version/s: 6.5.0, 6.0.1, 5.5.2

Type: Bug Priority: Major
Reporter: Charan Mann Assignee: Michael Carter
Resolution: Fixed Votes: 0
Labels: AME, Must-Fix, NEWTON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
is related to OPENAM-12886 Allow configurable audience for clien... Resolved
Target Version/s:
Support Ticket IDs:
Needs QA verification:
No
Functional tests:
Yes

 Description   

Bug description

DNS alias results in audience validation failure for clients authenticating using JWT

How to reproduce the issue

  1. Deployed AM as http://openam551.example.com:8585/sso 
  2. Create a sub realm: /employees
  3. Specify realm aliases: sso
  4. Specify DNS Aliases: sso.example.com
  5. Create OAuth service
  6. Create OAuth client with private_key_jwt as authentication method
  7. Create client JWT with aud URL: "http://sso.example.com:8585/sso/oauth2/access_token" 
  8. Invoke Access token endpoint:
    curl --request POST -H 'Content-Type=application/x-www-form-urlencoded' -d 'client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiIH0.eyAic3ViIjogImp3dC1iZWFyZXItY2xpZW50IiwgImF1ZCI6IFsgImh0dHA6Ly9zc28uZXhhbXBsZS5jb206ODU4NS9zc28vb2F1dGgyL2FjY2Vzc190b2tlbiIgXSwgImlzcyI6ICJqd3QtYmVhcmVyLWNsaWVudCIsICJleHAiOiAxNTIzNTUxMjMxIH0.dv90FbERBMX8wufkN631KrOb36i7fY5EBnRbqNtn-pv9EER-9KBVAzdA9BOm4OSqPh_IJl5TEXSUAhYLshLPBSf-tOqIrkT7ChB5F8_1hPOzL2Ov6KC5z13P1-mcbkeqcvXPxGgbGOHLkxVo3OdCD6fkiKavNpcn1BQOpKU22BFOFZZgv5DPsO_0I5t8qIQoClhzbkzKymY8uguhlW4i4z90_uqj23wrCZlJxYYuagQaPfbwI2Qtf2SzFZ9ti1ISIvz1kOfh185S2jo_gS3TDF3O7cLxvh_Dr-yfbGBCMqm1ZIHj2TUObpT8lQER245M1lflor6XkelZvhlbe2ZXEQ&grant_type=client_credentials&assertion=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiIH0.eyAic3ViIjogImp3dC1iZWFyZXItY2xpZW50IiwgImF1ZCI6IFsgImh0dHA6Ly9zc28uZXhhbXBsZS5jb206ODU4NS9zc28vb2F1dGgyL2FjY2Vzc190b2tlbiIgXSwgImlzcyI6ICJqd3QtYmVhcmVyLWNsaWVudCIsICJleHAiOiAxNTIzNTUxMjMxIH0.dv90FbERBMX8wufkN631KrOb36i7fY5EBnRbqNtn-pv9EER-9KBVAzdA9BOm4OSqPh_IJl5TEXSUAhYLshLPBSf-tOqIrkT7ChB5F8_1hPOzL2Ov6KC5z13P1-mcbkeqcvXPxGgbGOHLkxVo3OdCD6fkiKavNpcn1BQOpKU22BFOFZZgv5DPsO_0I5t8qIQoClhzbkzKymY8uguhlW4i4z90_uqj23wrCZlJxYYuagQaPfbwI2Qtf2SzFZ9ti1ISIvz1kOfh185S2jo_gS3TDF3O7cLxvh_Dr-yfbGBCMqm1ZIHj2TUObpT8lQER245M1lflor6XkelZvhlbe2ZXEQ&redirect_uri=http%3A%2F%2Fopenam551.example.com%3A8989%2Fsso&scope=mail%20openid' 'http://sso.example.com:8585/sso/oauth2/access_token'
    
    
Expected behaviour
Access token and ID token should be issued
Current behaviour
{"error_description":"Invalid JWT audience","error":"invalid_request"}

Work around

Don't use DNS alias 

Code analysis

org.forgerock.openam.oauth2.jwt.$JwtClaimsValidationHandler.java#validateAudience()
getAcceptedAudiences() returns only these 3 options, all contain realm 

0 = "http://sso.example.com:8585/sso/oauth2/employees"
1 = "http://sso.example.com:8585/sso/oauth2/realms/root/realms/employees/access_token"
2 = "http://sso.example.com:8585/sso/oauth2/realms/root/realms/employees"

Generated at Mon Nov 30 01:46:44 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.