[OPENAM-17101] Different behavior when invalid/missing SSO token is passed in /authorize call Created: 23/Nov/20  Updated: 25/Nov/20

Status: Open
Project: OpenAM
Component/s: oauth2
Affects Version/s: 6.5.3
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Charan Mann Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
is related to OPENAM-12215 NPE thrown when calling OIDC authoriz... Resolved
Target Version/s:
Rank: 1|i02vyf:

 Description   

Bug description

I am seeing different behavior in 6.5.x v/s 7.0. when invalid/missing SSO token is passed in /authorize call

AM 6.5.3 returns error:
http://am653.example.com:8080/am?error_description=Failed%20to%20get%20resource%20owner%20session%20from%20request&error=invalid_request
 
AM 7.0 redirects user to login UI (expected):
http://am7.example.com:8086/am/UI/Login?realm=/customers&goto=http://am7.example.com:8086/am/oauth2/realms/root/realms/customers/authorize

How to reproduce the issue

  1. Enable OAuth provider 
  2. Add an OAuth client with Authorize Code as grant type 
  3. Invoke /authorize 
  4. Observe different results from above call in 6.5 v/s 7.0 
Expected behaviour
User should be redirected back to login UI as done in 7.0 
Current behaviour
AM 6.5.x returns error message while 7.0 redirects user back to login UI

Work around

None


Generated at Thu Apr 22 19:27:08 UTC 2021 using Jira 8.16.0#816000-sha1:a455b91378454416b49bbc88d03e653cb9815ed5.