[OPENAM-15785] OIDC spec violation - HTTP POST can not be used to send Authentication Request Created: 17/Dec/19  Updated: 15/Dec/20  Resolved: 07/Jul/20

Status: Resolved
Project: OpenAM
Component/s: OpenID Connect
Affects Version/s: 13.0.0, 13.5.0, 13.5.1, 13.5.2, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1, 14.1.1.1, 14.1.1.2, 14.1.1.3, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 14.1.1.4, 6.0.0.5, 14.1.1.5, 14.1.2.2, 6.5.0, 6.0.0.6, 6.5.0.1, 6.0.0.7, 14.1.2.3, 6.5.1, 6.5.0.2, 14.1.2.4, 6.5.2, 6.5.2.1, 6.5.2.2, 14.1.2.5, 14.1.2.11
Fix Version/s: 7.0.0

Type: Bug Priority: Major
Reporter: Bernhard Thalmayr Assignee: Isaac Taylor
Resolution: Fixed Votes: 0
Labels: AME, Must-FIx, Selected
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Regression
caused OPENAM-16453 CDSSO : error during redirect to AM l... Resolved
Target Version/s:
Rank: 1|hzvzdz:
Sprint: AM Sustaining Sprint 70, AM Sustaining Sprint 71, AM Sustaining Sprint 72
Story Points: 5
Support Ticket IDs:

 Description   

Bug description

OIDC Authorization Code flow fails if Authentication Request is sent via HTTP POST request

How to reproduce the issue

  1. Configure AM as OIDC provider
  2. Configure some OAuth2 client
  3. Perform OIDC Authorization Code flow, send Authentication request via HTTP POST
Expected behaviour
OIDC provider should authenticate the user
Current behaviour
OIDC provider sends error response 'error_description=Failed to get resource owner session from request&error=invalid_request' to OIDC client.
Excerpt from OIDC specification

https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 2616 [RFC2616] at the Authorization Endpoint.

excerpt from AM 6.5.2.2 OAuth2Provider debug log
OAuth2Provider:12/17/2019 01:28:21:482 PM CET: Thread[http-nio-8080-exec-1,5,main]: TransactionId[45dd1371-5583-4eba-81a3-17203bb69ebb-1555]
WARNING: Error authenticating user against OpenAM:
com.iplanet.sso.SSOException: SessionID is empty
	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:147)
	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:160)
	at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:303)
	at org.forgerock.oauth2.core.ResourceOwnerSessionValidator.getResourceOwnerSession(ResourceOwnerSessionValidator.java:455)
	at org.forgerock.oauth2.core.CsrfProtection.isCsrfAttack(CsrfProtection.java:51)
	at org.forgerock.oauth2.core.AuthorizationService.handlePostRequest(AuthorizationService.java:410)
	at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:260)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:508)
	at org.restlet.resource.ServerResource.post(ServerResource.java:1341)
	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:606)
	at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:662)
	at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
	at org.restlet.resource.ServerResource.handle(ServerResource.java:1020)
	at org.restlet.resource.Finder.handle(Finder.java:236)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.forgerock.openam.rest.service.RestletRealmRouter$Delegate.handle(RestletRealmRouter.java:163)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
	at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:77)
	at org.restlet.Application.handle(Application.java:385)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
	at org.restlet.Component.handle(Component.java:408)
	at org.restlet.Server.handle(Server.java:507)
	at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
	at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
	at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
	at org.forgerock.openam.rest.RestEndpointServlet$RestletHandler.handle(RestEndpointServlet.java:183)
	at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
	at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:87)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:264)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at org.forgerock.openam.rest.RestEndpointServlet$HttpServletWrapper.service(RestEndpointServlet.java:254)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:132)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:412)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1385)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: com.iplanet.dpro.session.SessionException: SessionID is empty
	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:134)
	... 106 more
OAuth2Provider:12/17/2019 01:28:21:483 PM CET: Thread[http-nio-8080-exec-1,5,main]: TransactionId[45dd1371-5583-4eba-81a3-17203bb69ebb-1555]
WARNING: Error authenticating user against OpenAM:
com.iplanet.sso.SSOException: SessionID is empty
	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:147)
	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:228)
	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:211)
	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:241)
	at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:376)
	at org.forgerock.oauth2.core.ResourceOwnerSessionValidator.getResourceOwnerSession(ResourceOwnerSessionValidator.java:461)
	at org.forgerock.oauth2.core.CsrfProtection.isCsrfAttack(CsrfProtection.java:51)
	at org.forgerock.oauth2.core.AuthorizationService.handlePostRequest(AuthorizationService.java:410)
	at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:260)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:508)
	at org.restlet.resource.ServerResource.post(ServerResource.java:1341)
	at org.restlet.resource.ServerResource.doHandle(ServerResource.java:606)
	at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:662)
	at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
	at org.restlet.resource.ServerResource.handle(ServerResource.java:1020)
	at org.restlet.resource.Finder.handle(Finder.java:236)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.forgerock.openam.rest.service.RestletRealmRouter$Delegate.handle(RestletRealmRouter.java:163)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
	at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:77)
	at org.restlet.Application.handle(Application.java:385)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.routing.Router.doHandle(Router.java:422)
	at org.restlet.routing.Router.handle(Router.java:641)
	at org.restlet.routing.Filter.doHandle(Filter.java:150)
	at org.restlet.routing.Filter.handle(Filter.java:197)
	at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202)
	at org.restlet.Component.handle(Component.java:408)
	at org.restlet.Server.handle(Server.java:507)
	at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63)
	at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143)
	at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117)
	at org.forgerock.openam.rest.RestEndpointServlet$RestletHandler.handle(RestEndpointServlet.java:183)
	at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
	at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:87)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86)
	at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
	at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:264)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at org.forgerock.openam.rest.RestEndpointServlet$HttpServletWrapper.service(RestEndpointServlet.java:254)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:132)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:651)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:412)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:754)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1385)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: com.iplanet.dpro.session.SessionException: SessionID is empty
	at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:134)
	... 108 more

Generated at Sun May 09 08:27:46 UTC 2021 using Jira 8.16.0#816000-sha1:a455b91378454416b49bbc88d03e653cb9815ed5.