[OPENAM-5197] OAuth2 client fails to add access_token to tokeninfo call Created: 03/Dec/14  Updated: 11/Dec/14  Resolved: 11/Dec/14

Status: Resolved
Project: OpenAM
Component/s: oauth2
Affects Version/s: 12.0.0, 13.0.0
Fix Version/s: 12.0.0, 13.0.0

Type: Bug Priority: Major
Reporter: Tuhin Kumar [X] (Inactive) Assignee: Jaco Jooste
Resolution: Fixed Votes: 0
Labels: 12.0.0-MUST-FIX, AME, TESLA, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

All


Sprint: Sprint 74 - Team Tesla, Sprint 75 - Team Tesla

 Description   

Steps:

1. configure OpenAM as the authz server
2. configure OpemAM as oauth2 client
3. Create a oauth2 authentication module.
4. For User Profile Service URL, configure it to point to tokeninfo. e.g: http://demo.idp.com:8080/openam/oauth2/tokeninfo
5. Use cn for scope.
6. Use cn for account and attribute mapping.
7. register the oauth2 client from above with authz server.
8. Use cn for scope here too.

Try to access the client, with authentication module configured for the client.

Observation:

The user gets redirected to authz server. Consent page shows up after successful authentication, it gets redirected back to oauth client, but fails to log in with error message on page :

"Unable to login to OpenAM"

Notes:

Apparently, the access token is missing when the request to tokeninfo endpoint is made:

service url: http://demo.idp.com:8080/openam/oauth2/tokeninfo
amAuth:12/03/2014 11:28:12:645 AM PST: Thread[http-bio-8080-exec-3,5,main]
OAuth.getContentStreamByGET: HTTP Conn Error:
Response code: 400
Response message: Bad Request
Error stream:

{"error":"invalid_request","error_description":"Missing access_token"}

amAuth:12/03/2014 11:28:12:645 AM PST: Thread[http-bio-8080-exec-3,5,main]
OAuth.getContentStreamByPOST: URL = http://demo.idp.com:8080/openam/oauth2/tokeninfo
amAuth:12/03/2014 11:28:12:645 AM PST: Thread[http-bio-8080-exec-3,5,main]
OAuth.getContentStreamByPOST: Query: null
amLoginModule:12/03/2014 11:28:12:646 AM PST: Thread[http-bio-8080-exec-3,5,main]
SETTING Failure Module name.... :fed

This leads to NPE:

javax.security.auth.login.LoginException: java.lang.NullPointerException
at java.io.Writer.write(Writer.java:157)
at org.forgerock.openam.authentication.modules.oauth2.OAuth.getContentStreamByPOST(OAuth.java:715)
at org.forgerock.openam.authentication.modules.oauth2.OAuth.getContentStreamByGET(OAuth.java:657)
at org.forgerock.openam.authentication.modules.oauth2.OAuth.getContent(OAuth.java:585)
at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:271)
at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1023)
at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1197)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

Tried it out with curl, by using the access token from logs and it works fine, returning "cn" , which is used to map accounts.

curl http://demo.idp.com:8080/openam/oauth2/tokeninfo?access_token=3eec91ec-65ab-4209-a610-8b7d2853b6bf

{"scope":["cn"],"grant_type":"authorization_code","cn":"demo","realm":"/","token_type":"Bearer","expires_in":25,"access_token":"3eec91ec-65ab-4209-a610-8b7d2853b6bf"}

Also, replaced tokeninfo endpoint with userinfo. This might be okay with OpenID Connect flows, but not OAuth2. In this case, sub=id mapping would always create a new subject. Would help if we can return other parameters like email, cn etc. Now the response from userinfo :

access_token: 6621150d-7e86-4562-9a87-64dc074dabe1
amAuth:12/03/2014 12:16:09:255 PM PST: Thread[http-bio-8080-exec-8,5,main]
service url: http://demo.idp.com:8080/openam/oauth2/userinfo
amAuth:12/03/2014 12:16:09:288 PM PST: Thread[http-bio-8080-exec-8,5,main]
OAuth.getContentStreamByGET: HTTP Conn OK
amAuth:12/03/2014 12:16:09:289 PM PST: Thread[http-bio-8080-exec-8,5,main]
OAuth.process(): Profile Svc response:

{"sub":"demo","updated_at":"1417486202"}

amAuth:12/03/2014 12:16:09:304 PM PST: Thread[http-bio-8080-exec-8,5,main]
defaultAttributeMapper.getAttributes:

{id=sub}

amAuth:12/03/2014 12:16:09:305 PM PST: Thread[http-bio-8080-exec-8,5,main]
defaultAttributeMapper.getAttributes: id:sub



 Comments   
Comment by James Phillpotts [ 04/Dec/14 ]

I'm not sure tokeninfo is the right endpoint to be using here - the userinfo one makes more sense to me - we don't actually restrict it to OIDC - as long as you have one or more of the profile, email, address and phone scopes granted, you should be able to get information from it.

Comment by James Phillpotts [ 04/Dec/14 ]

Although I guess it doesn't support custom attributes.

Comment by Tuhin Kumar [X] (Inactive) [ 05/Dec/14 ]

Additional info: The authorization grant flow breaks, If I add openid and profile as scopes to the OpenId Agent in the OpenAM instance acting as OpenID Provider.

However, it works fine when I use a curl command to query openid token.

Comment by James Phillpotts [ 05/Dec/14 ]

The fix for this should just involve updating TokenInfoServiceImpl to get the token id from a Bearer type Authorization header if it's not on a request param

Comment by Jaco Jooste [ 11/Dec/14 ]

This currently does not work with the XUI if "Prompt for password setting and activation code" is selected in the OAuth 2.0 auth module. The old UI used a template JSP for this feature.

Generated at Sat Oct 24 00:37:36 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.