[OPENAM-5421] TokenResource ignores query string passed from client Created: 15/Jan/15  Updated: 20/Nov/16  Resolved: 20/Nov/16

Status: Closed
Project: OpenAM
Component/s: oauth2
Affects Version/s: 12.0.0
Fix Version/s: 12.0.1, 13.0.0

Type: Bug Priority: Major
Reporter: Sachiko Wallace Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates OPENAM-5335 OAuth2: /frrest/oauth2/token query do... Resolved
Relates
relates to OPENAM-5556 frrest REST interface needs versionin... Open
Sprint: Sprint 77 - Sustaining
Support Ticket IDs:
Verified Version/s:

 Description   

1. retrieve admin SSO token
curl --request POST --header "X-OpenAM-Username: amadmin" --header "X-OpenAM-Password: cangetin" --header "Content-Type: application/json" --data "{}" http://openam.example.com:8080/opensso/json/authenticate

2. generate token for "testuser01"
curl --request POST --data "client_id=myClientID&client_secret=cangetin&grant_type=password&username=testuser01&password=cangetin" http://openam.example.com:8080/opensso/oauth2/access_token

3. query token for user "testuser01"
curl --header "iplanetDirectoryPro: AQIC5wM2LY4SfcyZVLRVkG6JIbvSAvl2QWS-o4.AAJTSQACMDEAAlNLABM1NTc5Mjc2ODkxOTUxNjU5Njcx" "http://openam.example.com:18080/opensso/frrest/oauth2/token?_queryId=userName=testuser01"

TokenResource#queryCollection doesn't pass query strings from client



 Comments   
Comment by Sachiko Wallace [ 20/Jan/15 ]

original implementation allows any arbitrary queries to be passed and there needs to be better security when fixing this issue.

Comment by Andrew Vinall [ 14/Jan/16 ]

Verified:
12.0.2
OpenAM 13.0.0-RC10 Build 8a10f6b174 (2016-January-14 10:36)

Comment by Quentin CASTEL [X] (Inactive) [ 20/Nov/16 ]

modification of the status, in order to migrate the 'Zendesk ID' field to 'Support Ticket ID' field.

Comment by Quentin CASTEL [X] (Inactive) [ 20/Nov/16 ]

modification of the status, in order to migrate the 'Zendesk ID' field to 'Support Ticket ID' field.

Generated at Tue Oct 27 03:26:51 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.