[OPENAM-14694] Consent page still shows claim values even when supported claim description is omitted Created: 01/Apr/19  Updated: 20/Apr/20  Resolved: 22/May/19

Status: Resolved
Project: OpenAM
Component/s: oauth2, OpenID Connect
Affects Version/s: 13.0.0, 6.0.0.5, 6.5.0.1
Fix Version/s: 6.5.2, 6.0.1, 5.5.2, 7.0.0

Type: Bug Priority: Major
Reporter: WanNing Tan Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File 6.5.1.png     PNG File img1.png    
Issue Links:
Relates
relates to OPENAM-14693 Supported Scope Description is omit, ... Open
relates to OPENAM-14743 Fix wording around how supported clai... Closed
Sprint: AM Sustaining Sprint 61, AM Sustaining Sprint 62, AM Sustaining Sprint 63
Story Points: 3
Needs backport:
No
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

In documentation, it is mentioned that if the description of the supported claim has been omitted, it would not displayed on the consent page for the scope. However, the supported claim still displayed on the consent screen.

How to reproduce the issue

  1. Configure OpenID Connect ([Realm] -> [Configure OAuth Provider] -> [Configure OpenID Connect] )
  2. In OpenAM 13.0.0: Create an OAuth 2 agent called myClientID ([Realm] -> [Agents] -> [OAuth2.0/OpenID Connect Client]
    In AM 6.x: Create an OAuth 2 agent called myClientID ([Realm] -> [Applications] -> [OAuth2.0]
  3. Configure the following in myClientID agent configuration:
    [Core] tab --> Redirection URIs : http://www.google.com
    [Core] tab --> Scope(s): openid profile
    In AM 6.5.x: Allow implicit grant ([Realm] -> [Applications] -> [OAuth2.0] ->  [OAuth2.0 Name] -> [Advanced]
  4. Configure the following in OAuth2Provider configuration ([Realm] -> [Services] -> [OAuth2 Provider] ):
    [Advanced] tab -> Supported Scopes: profile| (remove description "Your personal information")
    [OpenID Connect] tab -> Supported Claims: name| (remove description "Full name") family_name| (remove description "Full name")
  5. Accessing the URL to get the access token
    http://am.example.com:8080/openam/oauth2/authorize?client_id=myClientID&redirect_uri=http://www.google.com&response_type=id_token&scope=openid%20profile&nonce=1234
  6. Enter user credentials
Expected behaviour
Mentioned in (OpenAM 13, Reference & AM 6.5, OpenID Connect 1.0 Guide documentation) for Supported claims Attribute: 
If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying family_name|would allow the claim family_name to be used by the client, but would not display it to the user on the consent page when requested.
Current behaviour
The consent screen is showing the the supported claims (img1).



 Comments   
Comment by Sachiko Wallace [ 08/Apr/19 ]

I don't think this is a bug. As you've pointed out, the online doc says :

For example specifying read| would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.

And the consent page is displaying the profile value without scope/claim "Label" which is fulfilling the documented spec.
May be we can change the online help's wording to "label for claim/scope derived from description is not displayed" etc?

Comment by Sachiko Wallace [ 08/Apr/19 ]

Raised documentation bug to fix the wording.

Comment by Ľubomír Mlích [ 30/May/19 ]

verified as fixed in AM 6.5.2-M3 comparing to to AM 6.5.1

Also there was one time error, which I was not able to reproduce - consent time did not display. I just refreshed page and page displayed. I was not able to see that error again despite trying few times.

Generated at Mon Sep 28 05:53:16 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.