[OPENAM-15805] idtokeninfo endpoint gives invalid signature error when ID Token is expired Created: 20/Dec/19  Updated: 25/Jun/20  Resolved: 16/Feb/20

Status: Closed
Project: OpenAM
Component/s: OpenID Connect
Affects Version/s: 6.5.1, 6.5.2, 6.5.2.1, 6.5.2.2
Fix Version/s: 5.5.2, 7.0.0, 6.5.3

Type: Bug Priority: Minor
Reporter: Jelle Verbraak Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
is related to OPENAM-15927 SKEW_ALLOWANCE = Duration.duration(5,... Open
Target Version/s:
Rank: 1|hzzopb:
Sprint: AM Sustaining Sprint 71, AM Sustaining Sprint 72
Story Points: 3
Needs backport:
No
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
Yes
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

Validating an expired unencrypted ID Token gives a misleading error message.

How to reproduce the issue

  1. Create a short lived ID Token
  2. Validate the unencrypted ID Token
curl --location --request POST 'http://localam.example.com:8080/openam/oauth2/idtokeninfo' \
--header 'Cookie: iPlanetDirectoryPro=nNOjfZL3H7OWKVuJT0puyraW-Xg.*AAJTSQACMDEAAlNLABx6emtGeFljZDkrOFkvZGk2cW1Ec1p0cWRzQ0k9AAR0eXBlAANDVFMAAlMxAAA.*' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=test' \
--data-urlencode 'client_secret=test' \
--data-urlencode 'id_token=eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiaXRvWkt4QWNGU2JOUWFpcWlFMEhSZyIsInN1YiI6ImRlbW8iLCJhdWRpdFRyYWNraW5nSWQiOiIyODc3NDJlMS1hZDA0LTQzNDktOWQ5Yi0wNzI4YTc2ZDE2OWUtNzIyNCIsImlzcyI6Imh0dHA6Ly9sb2NhbGFtLmV4YW1wbGUuY29tOjgwODAvb3BlbmFtL29hdXRoMiIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwiYXVkIjoidGVzdCIsImNfaGFzaCI6IkhwbG9QeGJieWhZQ1JOazZEOUczUmciLCJhY3IiOiIwIiwib3JnLmZvcmdlcm9jay5vcGVuaWRjb25uZWN0Lm9wcyI6IkFzb3ZFcVN2bkQwV0hQaE5VRkFCQWt1cHFuZyIsImF6cCI6InRlc3QiLCJhdXRoX3RpbWUiOjE1NzY3NjQ4ODIsInJlYWxtIjoiLyIsImV4cCI6MTU3Njc2ODUwMiwidG9rZW5UeXBlIjoiSldUVG9rZW4iLCJpYXQiOjE1NzY3NjQ5MDJ9.jvtlEwY1dYZhuTgUYk2b0iUTT965w-X-iWoWQBWFMqnCclk9m1LH_jRPkgYgQFOVhUQk9ADHqaSZFG52xsVF0Zf7u3KAk_gPbXqKvU3PFH6wU7dgCSpyM3q_kBRbBEC1XkBJAO3QqjrjRStAM9S6u3zLkIrR8ICZlUDP7TBBta-64EceTT6IA4J4RbF5d0sYAGmWnePM7ObjxQh8Sd18F4IqdkyNBMQKjCdE1KDcUPs2-UU3atuiUqkcILOFKbtoXZnIusZm-CM7QX0axrOuHtT43ElkVmYa1O2AHPwodld-1pIPwb3X84hm-WdzMQzfxVp_8SBl1KCZHZnIW7o5Qw'
  1. Expected behaviour
{    "error_description": "ID token expired",    "error": "bad_request"}
Current behaviour
{    "error_description": "Invalid signature",    "error": "bad_request"}

 

Cause

Probably updating openam-oauth2/src/main/java/org/forgerock/openidconnect/restlet/IdTokenInfo.java#validateIdToken
to check idToken.isExpired() first before calling clientRegistration.verifyIdTokenSignedByUsWithConfiguredAlg(idToken)
would be the most simplest direct fix (just that we return expired check first) w/o much issue.



 Comments   
Comment by Ľubomír Mlích [ 25/Jun/20 ]

Reproduced in ForgeRock Access Management 6.5.2 Build 314d553429 (2019-June-17 15:07)
Verified as fixed in ForgeRock Access Management 6.5.3-M5 Build c61acc98e9 (2020-June-15 10:38)

set OpenID Connect JWT Token Lifetime to 1 second was needed for reproduction (should have written that down before)

Generated at Mon Mar 01 23:19:58 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.