[OPENAM-17126] OIDC token : missing user info attributes Created: 30/Nov/20  Updated: 08/Dec/20  Resolved: 08/Dec/20

Status: Resolved
Project: OpenAM
Component/s: None
Affects Version/s: 7.1.0
Fix Version/s: 7.1.0

Type: Bug Priority: Critical
Reporter: Jean-Charles Deville Assignee: Phill Cunnington
Resolution: Fixed Votes: 0
Labels: DRIVE, TESLA
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OS : Linux
AM container : Tomcat 9.0.34
jdk : openjdk 11.0.8
OpenAM: 7.1.0-SNAPSHOT ef47050efe7

Rank: 1|hzy6kp:i

 Description   

As discussed here : https://forgerock.slack.com/archives/CHD58QG6A/p1606387539303000
one of the following commits, generated some regression in the OIDC token content:

47bccdccd1b	Revert "OPENAM-17072 Fix eval() method in Amster"
c643b3c2491	Revert "OPENAM-17072 Move addEval closure to method"
3b03ffdc39c	AME-19298 Create annotation based config for Radius Server service
266ee767420	AME-20141 Token exchange id_token support
080e1c17c71	OPENAM-17086

Test scenarion & symptoms :

The test is using tokens with the following properties :

  • accessTokenLifetime=3,
  • refreshTokenLifetime=60,

Scenario :

  1. user gets a couple of tokens successfully, accessing a resource through IG
  2. user waits for around 5 seconds, so that access token is no more valid, but the refresh_token is still valid
  3. user wants to access the resource through IG again, providing both tokens

While checking the content of the access_token, the test spotted the following regression :

Before regression (using AM-7.1.0-SNAPSHOT 1c0b2013980), the returned OIDC token was sthg like (look at "user_info") :

{
    "access_token": "L6FR5-javY1sHh4FMh4I2uG-SWs",
    "refresh_token": "46ZT88rD0xCra8tSfteRXN8yzSk",
    "scope": [
        "openid",
        "profile",
        "isMemberOf",
        "api_access"
    ],
    "id_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoia2k0NXI3T21uWnMtT3Etd05PUk9jdyIsInN1YiI6ImJvbm5pZSIsImF1ZGl0VHJhY2tpbmdJZCI6IjBkYjgwYjNlLTFhN2QtNGRiYi1iZDUwLWVkYzFhNjBjOWMwYS00MDg4IiwiaXNzIjoiaHR0cDovL29wZW5hbS5leGFtcGxlLmNvbTo4MDg2L29wZW5hbS9vYXV0aDIvZmlsdGVyc19yZWFsbSIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwiYXVkIjoiY2xpZW50X2Zvcl9vcGVuaWc5MzNfb2F1dGgyIiwiYWNyIjoiMCIsIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiIxTUt5aF8tRzM1bVVBTzktbjFjaXowRHJQamciLCJhenAiOiJjbGllbnRfZm9yX29wZW5pZzkzM19vYXV0aDIiLCJhdXRoX3RpbWUiOjE2MDY3MjQ1OTgsInJlYWxtIjoiL2ZpbHRlcnNfcmVhbG0iLCJleHAiOjE2MDY3MjgyMDYsInRva2VuVHlwZSI6IkpXVFRva2VuIiwiaWF0IjoxNjA2NzI0NjA2fQ.zJrAOYsMkhyRjL5EKS34TLj6Bpwxl3dFMlBl2UpPYHFNvEAcmkK79nBSjvAItLOzoB36Rw1605zhhcVnidh6m5mLauRonAxt3Sq6d9oldh5OMk_kM9jBbpZ8p5hpzU8Jr2TAasE_gxij0nWKUutEyx0Q88bOSG5UkA63cSW8IMM0aEOfXHhQ2fnapayWamri422GXrNW1i0ToKbwe0ioj8R5bY5Z1vqNHCvJqOUpeyykrJd-b1ziI-8Um9V5R7GY3niD6MPcoa9RiSqSz5PDvdO8ctk0vTOtYewmkHjt_IHHhr6NyFoZuIS6066jMHHi6CH87DUzpZY8-Gdk62k7zQ",
    "token_type": "Bearer",
    "expires_in": 1,
    "client_registration": "client_for_openig933_oauth2",
    "client_endpoint": "http://openig.example.com:8084/openig933_oauth2",
    "id_token_claims": {
        "at_hash": "ki45r7OmnZs-Oq-wNOROcw",
        "sub": "bonnie",
        "auditTrackingId": "0db80b3e-1a7d-4dbb-bd50-edc1a60c9c0a-4088",
        "iss": "http://openam.example.com:8086/openam/oauth2/filters_realm",
        "tokenName": "id_token",
        "aud": [
            "client_for_openig933_oauth2"
        ],
        "acr": "0",
        "org.forgerock.openidconnect.ops": "1MKyh_-G35mUAO9-n1ciz0DrPjg",
        "azp": "client_for_openig933_oauth2",
        "auth_time": 1606724598,
        "realm": "/filters_realm",
        "exp": "2020-11-30T09:23:26+0000",
        "tokenType": "JWTToken",
        "iat": "2020-11-30T08:23:26+0000"
    },
    "user_info": {
        "family_name": "bonnie",
        "name": "bonnie",
        "sub": "bonnie"
    }
}

After regression (using AM-7.1.0-SNAPSHOT 47bccdccd1b), the returned OIDC token is sthg like (look at "user_info") :

{
    "access_token": "Ds5rzXEQ84jqLkQlarUuIn-NqIQ",
    "refresh_token": "kzbm-AAHF5iKDUYuG3Jw4C_dEUk",
    "scope": [
        "openid",
        "profile",
        "isMemberOf",
        "api_access"
    ],
    "id_token": "eyJ0eXAiOiJKV1QiLCJraWQiOiJ3VTNpZklJYUxPVUFSZVJCL0ZHNmVNMVAxUU09IiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiUVp3SHVEN3NDZU1udnNjMWgzaXVkQSIsInN1YiI6ImJvbm5pZSIsImF1ZGl0VHJhY2tpbmdJZCI6ImJhMjcwMGI0LTFhN2MtNDVmOC1iOWY5LTc1ZDk2YTAxY2I4ZS0zNjQxIiwiaXNzIjoiaHR0cDovL29wZW5hbS5leGFtcGxlLmNvbTo4MDg2L29wZW5hbS9vYXV0aDIvZmlsdGVyc19yZWFsbSIsInRva2VuTmFtZSI6ImlkX3Rva2VuIiwiYXVkIjoiY2xpZW50X2Zvcl9vcGVuaWc5MzNfb2F1dGgyIiwiYWNyIjoiMCIsIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiJGWnY1cUZnNVlzNlJtUDdZQTctSlJJVjFIYVEiLCJhenAiOiJjbGllbnRfZm9yX29wZW5pZzkzM19vYXV0aDIiLCJhdXRoX3RpbWUiOjE2MDY3MjQwODMsInJlYWxtIjoiL2ZpbHRlcnNfcmVhbG0iLCJleHAiOjE2MDY3Mjc2OTAsInRva2VuVHlwZSI6IkpXVFRva2VuIiwiaWF0IjoxNjA2NzI0MDkwfQ.zpMNaq6tksS2hSlF8TU9hvdTrZxqC76q0cWwedWlxnY_kBT2GjIaeORN2QHxuBDQmwHhoeS70v6FpjC-0F5aN5VDRhSSTKJ2AnTbJGZRmUTGqqiiSr01BtqgpCGyWZxpu3VGAbMphM9H4A1-lK2Pu7RPwCCSqV9E0CcQA1PcjQrlgfpsl0MT_BsOh6FX3JLLmLA3HFNxa6cqOc7t8o1PXXZ-9Gv7p-vDToDb4Ge0ZXgvAm7EqVit57NtnpY3yTtWJKiDfTK37Sh7yvr22Ge5hEKNHIaPDzQwpJHaAsLH22ZxnUKRfUnM_wKVFtPSFvvSIqYwrn29NSWketa_Fq3iiA",
    "token_type": "Bearer",
    "expires_in": 1,
    "client_registration": "client_for_openig933_oauth2",
    "client_endpoint": "http://openig.example.com:8084/openig933_oauth2",
    "id_token_claims": {
        "at_hash": "QZwHuD7sCeMnvsc1h3iudA",
        "sub": "bonnie",
        "auditTrackingId": "ba2700b4-1a7c-45f8-b9f9-75d96a01cb8e-3641",
        "iss": "http://openam.example.com:8086/openam/oauth2/filters_realm",
        "tokenName": "id_token",
        "aud": [
            "client_for_openig933_oauth2"
        ],
        "acr": "0",
        "org.forgerock.openidconnect.ops": "FZv5qFg5Ys6RmP7YA7-JRIV1HaQ",
        "azp": "client_for_openig933_oauth2",
        "auth_time": 1606724083,
        "realm": "/filters_realm",
        "exp": "2020-11-30T09:14:50+0000",
        "tokenType": "JWTToken",
        "iat": "2020-11-30T08:14:50+0000"
    },
    "user_info": {
        "sub": "bonnie"
    }
}

Steps to reproduce with pyforge :

  • - git pull PyForge
  • - ./cleanup.py -f
  • - ./configure.py
  • - make sure your /etc/hosts is properly configured for IG functional tests : (cf hosts on docker : https://pyforge.engineering.forgerock.com/docs/getting-started#prepare-docker-on-your-machine)
  • - in config.cfg, update the IG section with WEBCONTAINER_TYPE=standalone
  • - launch the following commands (on Linux/Mac), in the PyForge root directory :
    ./run-pybot.py -s Filters/OAuth2ClientFilter/RefreshTokenUseCases/OPENIG-933/ -t Refresh_Openidconnect_Token_Using_Oauth2ResourceServer_Filter_Should_Succeed -n ig
    Servers are then available for checks... (NB : test may have been modified, to expect the current error)
  • - ./cleanup.py -f
Generated at Mon Mar 01 10:10:37 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.