[#OPENAM-12997] Consent for default scopes are not saved

[OPENAM-12997] Consent for default scopes are not saved Created: 25/Apr/18 Updated: 13/Mar/20 Resolved: 07/Sep/18
Status:	Closed
Project:	OpenAM
Component/s:	oauth2
Affects Version/s:	5.5.1, 6.0.0, 6.5.0
Fix Version/s:	6.5.0, 6.0.1, 5.5.2

Type:

Bug

Priority:

Major

Reporter:

Peter Major [X] (Inactive)

Assignee:

Lawrence Yarham

Resolution:

Fixed

Votes:

Labels:

Backlog, EDISON

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Rank:

1|hzvurr:

Sprint:

AM Sustaining Sprint 54

Story Points:

Needs backport:

Yes

Support Ticket IDs:

Verified Version/s:

5.5.2

Needs QA verification:

Yes

Functional tests:

Are the reproduction steps defined?:

Yes and I used the same an in the description

Description

Bug description

When OAuth2 authorization requests are made without explicitly asking for scopes and the consent is saved by the end-user, the saved consent won't actually contain the default scopes (that will be issued for the access token).

How to reproduce the issue

Configure AM as an OAuth2 provider
Use "description" attribute as Saved Consent Attribute Name
Add "description" to the list of LDAP User Attributes in the data store settings
Create a new OAuth2 client with uid as default scopes
Initiate an OAuth2 authorization flow without explicitly asking for any scopes:
https://openam.dev/openam/oauth2/authorize?client_id=myclient&redirect_uri=http://localhost&response_type=code
Check Save Consent box
Submit the consent page
Start a new authorization code flow with the same request

Expected behaviour

The second auth code request will not display the consent page.

Current behaviour

The consent saved at the first request does not contain the non-requested but given default scope, hence the save consent screen is displayed again.

Comments

Comment by Andrew Vinall [ 25/Apr/18 ]

Bug Triage: Peter Major [X] Is this a regression?

Comment by Peter Major [X] (Inactive) [ 25/Apr/18 ]

See also TestAuthorizationCodeGrant#testSavedConsent

Comment by Peter Major [X] (Inactive) [ 25/Apr/18 ]

Andrew Vinall this test seemed to fail for 5.5.0 as well: https://ci.forgerock.org/view/OpenAM/job/AM-5.5.x/job/OpenAM-Functional-Tests-Stable/106/Temper_Report/class-com.forgerock.openam.functionaltest.oauth2.TestAuthorizationCodeGrant.html#f68469757472ab760e8ab47d3617478f95a371b9845748efaa020f2badda6384

Comment by Lawrence Yarham [ 04/Sep/18 ]

Just following up on a question regarding when to include default scopes in the saved consent...

Based on https://tools.ietf.org/html/rfc6749#section-3.3
If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
This looks to indicate that the default scope should only be included in the saved consent if no scope was explicitly requested. The way the fix has been implemented here is that the default scope is included in the saved consent (after asking the end user for consent) even if specific scopes were requested.

I'll re-open and resolve this.

Comment by Ľubomír Mlích [ 13/Mar/20 ]

Reproduced in ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41)
Verified as fixed in ForgeRock Access Management 5.5.2-M12 Build b4eff06cc5 (2020-February-26 12:16)

Generated at Tue Mar 02 14:41:21 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.