[OPENAM-15494] AM expects nonce request parameter in authorize request when no id_token will be returned Created: 27/Sep/19  Updated: 20/May/20  Resolved: 24/Oct/19

Status: Resolved
Project: OpenAM
Component/s: oauth2, OpenID Connect
Affects Version/s: 6.5.2
Fix Version/s: 6.0.1, 5.5.2, 7.0.0, 6.5.3

Type: Bug Priority: Major
Reporter: Aaron Haskins Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: AM Sustaining Sprint 68
Story Points: 3
Needs backport:
No
Support Ticket IDs:
Needs QA verification:
No
Functional tests:
Yes
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

When making a request to the authorize endpoint with a response_type of none (and no id_token_hint), AM returns an error saying "Missing required parameter nonce from request" which doesn't make sense as an id_token will not be returned hence no nonce value to compare with.

Also, it is not clear what Response Type Plugin should be configured on the OAuth2 Provider (this might be the real issue here).

How to reproduce the issue

  1. Create OAuth2 Provider service
  2. Add none to Response Type Plugin - map none|org.forgerock.openidconnect.IdTokenResponseTypeHandler
  3. http://openam.example.com:8088/openam/oauth2/realms/root/authorize?client_id=myOAuth2Client&scope=openid&prompt=none&redirect_uri=http://www.example.com&state=1234&response_type=none
Expected behaviour
When supplied as the response_type parameter in an OAuth 2.0 Authorization Request, the Authorization Server SHOULD NOT return an OAuth 2.0 Authorization Code, Access Token, Access Token Type, or ID Token in a successful response to the grant request. If a redirect_uri is supplied, the User Agent SHOULD be redirected there after granting or denying access. See https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#none
Current behaviour
Missing required parameter nonce from request

 

Code analysis

org/forgerock/openidconnect/OpenIdConnectAuthorizeRequestValidator.java
// Maybe some other checks here against a response_type of none
if (!requestedScopes.contains(OPENID) && responseTypes.contains(ID_TOKEN)) {
    throw new InvalidRequestException("Missing expected scope=openid from request",
            Utils.isOpenIdConnectFragmentErrorType(responseTypes) ? FRAGMENT : QUERY);
} else if (requestedScopes.contains(OPENID)) {
    validateNonce(request, responseTypes);
}

Generated at Wed Nov 25 05:56:12 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.