[OPENAM-15063] when binding message of CIBA request is too long, notification fail to be sent Created: 11/Jun/19  Updated: 13/Aug/19  Resolved: 21/Jun/19

Status: Closed
Project: OpenAM
Component/s: oauth2
Affects Version/s: 6.5.2, 7.0.0
Fix Version/s: 6.5.2.1, 7.0.0, 6.5.3

Type: Bug Priority: Major
Reporter: Ľubomír Mlích Assignee: Peter Major [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: AME, Must-Fix, NEWTON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Rank: 1|hzk41z:
Sprint: AM 2019.9 - Crane
Needs backport:
Yes
Verified Version/s:

 Description   

Bug description

Notification will fail, if there is quote in binding message in JWT of CIBA request.

this doesn't work: "binding_message": "Allow ExampleBank to transfer £50 from your 'Main' account to your 'Savings' account? Reference: 0246326",
this works: "binding_message": "Allow ExampleBank to transfer £50 from your Main account to your Savings account? Reference: 0246326",

How to reproduce the issue

  1. configure CIBA following https://docs.google.com/document/d/1HlPCIUDZj7uQsMXOTie_hSGzE3qaS0Rn4GJg_1KKfYc/edit#
  2. use quotes in binding message in JWT
Expected behaviour
Notification is sent to mobile phone
Current behaviou
Client will see:

{
    "error": "server_error",
    "error_description": "Error occurred during authentication"
}

And in the debug there is:

ERROR: Unable to create the OAuth2 request
org.forgerock.oauth2.core.exceptions.ServerException: Error occurred during authentication
	at org.forgerock.openam.oauth2.ciba.CtsBackChannelAuthnService.retrieveAuthenticationResponse(CtsBackChannelAuthnService.java:201)
	at org.forgerock.openam.oauth2.ciba.CtsBackChannelAuthnService.initiateAuthentication(CtsBackChannelAuthnService.java:102)
	at org.forgerock.openam.oauth2.ciba.CtsBackChannelAuthnService.initiateAuthentication(CtsBackChannelAuthnService.java:120)
	at org.forgerock.openam.oauth2.ciba.CtsBackChannelAuthnService.initiate(CtsBackChannelAuthnService.java:94)
	at org.forgerock.oauth2.restlet.BackChannelResource.backChannelAuthorize(BackChannelResource.java:166)
	at sun.reflect.GeneratedMethodAccessor146.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:508)
	at org.restlet.resource.ServerResource.post(ServerResource.java:1341)
	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:606)
	at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:662)
	at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
	at org.restlet.resource.ServerResource.handle(ServerResource.java:1020)
	at org.restlet.resource.Finder.handle(Finder.java:236)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
	at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:77)
	at org.restlet.Application.handle(Application.java:385)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
	at org.restlet.Component.handle(Component.java:408)
	at org.restlet.Server.handle(Server.java:507)
	at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
	at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
	at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
	at org.forgerock.openam.rest.RestEndpointServlet$RestletHandler.handle(RestEndpointServlet.java:183)
	at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
	at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:87)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:264)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	at org.forgerock.openam.rest.RestEndpointServlet$HttpServletWrapper.service(RestEndpointServlet.java:254)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:132)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.forgerock.openam.core.rest.authn.exceptions.RestAuthException: Login failure
	at org.forgerock.openam.core.rest.authn.trees.FailureProcessTreeResult.authFailureException(FailureProcessTreeResult.java:92)
	at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:424)
	at org.forgerock.openam.core.rest.authn.trees.AuthTrees.evaluateTreeAndProcessResult(AuthTrees.java:261)
	at org.forgerock.openam.core.rest.authn.trees.AuthTrees.invokeTree(AuthTrees.java:253)
	at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:222)
	at org.forgerock.openam.oauth2.ciba.CtsBackChannelAuthnService.retrieveAuthenticationResponse(CtsBackChannelAuthnService.java:185)
	... 95 more
Caused by: org.forgerock.openam.auth.node.api.NodeProcessException: Node processing failed
	at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:108)
	at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:149)
	at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:421)
	... 99 more
Caused by: com.amazonaws.services.sns.model.InvalidParameterException: Invalid parameter: Subject (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: 68bef8ed-4430-565f-b802-ad94cb034458)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1639)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1056)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
	at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
	at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
	at com.amazonaws.services.sns.AmazonSNSClient.doInvoke(AmazonSNSClient.java:2270)
	at com.amazonaws.services.sns.AmazonSNSClient.invoke(AmazonSNSClient.java:2246)
	at com.amazonaws.services.sns.AmazonSNSClient.executePublish(AmazonSNSClient.java:1698)
	at com.amazonaws.services.sns.AmazonSNSClient.publish(AmazonSNSClient.java:1675)
	at org.forgerock.openam.services.push.sns.SnsHttpDelegate.send(SnsHttpDelegate.java:69)
	at org.forgerock.openam.services.push.PushNotificationService.send(PushNotificationService.java:122)
	at org.forgerock.openam.auth.nodes.push.PushAuthenticationSenderNode.sendMessage(PushAuthenticationSenderNode.java:204)
	at org.forgerock.openam.auth.nodes.push.PushAuthenticationSenderNode.process(PushAuthenticationSenderNode.java:153)
	at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)
	... 101 more



 Comments   
Comment by Chris Lee [ 11/Jun/19 ]

Might actually be the length of the binding_message. I'm sure I tried all the special characters but shortening the message and it worked (I think, have tried so, so, many things).

Comment by Chris Lee [ 12/Jun/19 ]

Yeah it's not the presence of quotes I don't think, but the length of the string. This works, and includes quotes, and a GBP pound sign:

Allow ExampleBank to transfer £50 from your 'Main' account to your 'Savings' account? (EB-046326)
Comment by Michael Carter [ 19/Jun/19 ]

The binding message is supposed to be short, random string that identifies the request to the user, similar to a OTP. This error is caused by a misuse of the binding message.

I think we should be restricting the length and content of the binding message, rather than just allow arbitrarily sized messages which opens up a potential attack surface.

 

 

Comment by Ľubomír Mlích [ 13/Aug/19 ]

verified by functional tests

Generated at Mon Mar 01 23:05:51 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.