[OPENAM-14642] OIDC Dynamic Client Registration registration_client_uri uses only Host header not BaseURL Created: 19/Mar/19  Updated: 13/Mar/20  Resolved: 18/Apr/19

Status: Closed
Project: OpenAM
Component/s: OpenID Connect
Affects Version/s: 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 6.5.0.1, 6.0.0.7, 6.5.1, 6.5.0.2
Fix Version/s: 6.5.2, 6.0.1, 5.5.2

Type: Bug Priority: Major
Reporter: C-Weng C Assignee: C-Weng C
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to OPENAM-14643 OIDC Dynamic Client Registration regi... Closed
Sprint: AM Sustaining Sprint 61, AM Sustaining Sprint 62
Story Points: 2
Needs backport:
No
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

Create a OIDC dynamic Client registration and configure a BaseURL provide (fixed) and generate this new client. The generated client always uses the "Host" header and not the configured BaseURL provider

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Create a subrealm and a OAuth2/OIDC service
  2. Enable Dynamic Client Registration (or Open Dynamic Client Registration)
  3. Create a OAuth2 OIDC client say myOIDCClient
  4. Get an access token for myOIDCClient (say this access token is $AT)
  5. Setup a BaseURL (fixed) (may need this to be host to be in DNS alias)
  6. Generate a Client registration
    curl \
      -D - \
      -s -k \
      -X POST \
      -H "Host: somehost:someport" \
      -H "Content-type: application/json" \
      -H "Authorization: Bearer $AT" \
      --data '{
       "application_type": "web",
       "redirect_uris": ["http://localhost/test.jsp", "https://client.example.org/callback", "https://client.example.org/callback2"],
       "client_name": "My Example",
       "logo_uri": "https://client.example.org/logo.png",
       "subject_type": "public",
       "token_endpoint_auth_method": "client_secret_basic",
       "jwks_uri": "https://client.example.org/my_public_keys.jwks",
       "userinfo_encrypted_response_alg": "RSA1_5",
       "userinfo_encrypted_response_enc": "A128CBC-HS256",
       "contacts": ["ve7jtb@example.org", "mary@example.org"],
       "request_uris": ["https://client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA"],
       "default_max_age": 43200,
       "access_token_lifetime": 3600,
       "jwt_token_lifetime": 43200,
       "scopes": ["openid","profile"],
       "claimsRedirectionUris": [ "http://test.com" ],
       "grant_types": ["authorization_code", "implicit" ]
    }' <openam-url>/openam/oauth2/register?realm=${realm}
    
  7. Observe the payload generated for registration_client_uri
    {"request_object_encryption_alg":"","default_max_age":43200,"application_type":"web","userinfo_encrypted_response_enc":"A128CBC-HS256","registration_client_uri":"<openam-host></openam/oauth2/realms/root/realms/dynamic/register?client_id=84ed9278-9f8e-4e23-b622-7d706d6ce6a4","client_type":"Confidential","userinfo_encrypted_response_alg":"RSA1_5","registration_access_token":"z4udB3B8FIyFR_yRU4dGZBPL6gw","client_id":"84ed9278-9f8e-4e23-b622-7d706d6ce6a4","token_endpoint_auth_method":"client_secret_basic","userinfo_signed_response_alg":"","public_key_selector":"jwks_uri","scope":"openid profile","authorization_code_lifetime":0,"client_secret":"jc0oiPBcH1LCtEa8PkbAT6qZSmU","user_info_response_format_selector":"ENCRYPTED_JWT","client_name":"My Example","id_token_signed_response_alg":"HS256","default_max_age_enabled":true,"subject_type":"public","jwt_token_lifetime":3600,"id_token_encryption_enabled":false,"redirect_uris":["http://localhost/test.jsp","https://client.example.org/callback","https://client.example.org/callback2"],"id_token_encrypted_response_alg":"RSA1_5","id_token_encrypted_response_enc":"A128CBC_HS256","client_secret_expires_at":0,"access_token_lifetime":3600,"jwks_uri":"https://client.example.org/my_public_keys.jwks","refresh_token_lifetime":0,"scopes":["openid","profile"],"request_object_signing_alg":"","contacts":["ve7jtb@example.org","mary@example.org"],"response_types":["code"]}
    
Expected behaviour
The BaseURL is used for the registration_client_uri
Current behaviour
It seems that the "Host" header is used to construct the registration_client_uri  during client registration on 6.5.0.1 and before

Work around

If possible make the LB uses PreserveHostHeader to ensure the Host header is has the right value

Code analysis

 

DynamicClientRegistration.java
Currently uses the Host header and not the BaseURL if it exists


 Comments   
Comment by Filip Kubáň [X] (Inactive) [ 03/May/19 ]

Verified on: ForgeRock Access Management 6.5.2-M1 Build 7c804d6416 (2019-April-26 13:17)

Base URL is used during client registration.

Comment by Edward Hills [X] (Inactive) [ 27/Jun/19 ]

Does this affect version 6.5.0.2 ?

Comment by Ľubomír Mlích [ 13/Mar/20 ]

C-Weng C thanks, it is working now as expected. Also thanks for explanation why Global services changes don't work.

Reproduced in ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41)
Verified as fixed in ForgeRock Access Management 5.5.2-M12 Build b4eff06cc5 (2020-February-26 12:16)

Generated at Wed Nov 25 04:59:14 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.