[OPENAM-6552] access_token request sent by OAuth2Saml2GrantSPAdapter is not realm aware Created: 10/Aug/15  Updated: 20/Nov/16  Resolved: 14/Jan/16

Status: Resolved
Project: OpenAM
Component/s: oauth2, SAML
Affects Version/s: 12.0.0, 12.0.1
Fix Version/s: 12.0.3, 13.0.0

Type: Bug Priority: Major
Reporter: Sachiko Wallace Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON, release-notes
Remaining Estimate: 0h
Time Spent: 2h
Original Estimate: 0h

Issue Links:
is related to OPENAM-4344 OAuth2 SAML bearer grant does not work Resolved
Rank: 1|hzqt87:
Sprint: AM Sustaining Sprint 16
Support Ticket IDs:


Set up OAuth2 authorization server on SAML2 service provider side as described in : http://docs.forgerock.org/en/openam/12.0.0/admin-guide/index/chap-oauth2.html

When configuring OAuth2 client on SP side, create it under a subrealm.
SSO request will end up with exception on SP side as client verification failed. This is because OAuth2Saml2GrantSPAdapter is not submitting access_token request with realm parameter.

Comment by Sachiko Wallace [ 10/Aug/15 ]

solution could be something like:

         if (hostedEntityID.endsWith("/")){
            } else {
            sb.append("?realm=" + ((realm==null || realm.isEmpty()) ? "/" : realm));
Comment by Mark de Reeper [ 10/Aug/15 ]


            sb.append("?realm=" + (StringUtils.isBlank(realm) ? "/" : realm));
Comment by Peter Major [X] (Inactive) [ 10/Aug/15 ]

Looks like OPENAM-4344 was meant to resolve this, but failed to do so for some reason.

Comment by Sachiko Wallace [ 14/Jan/16 ]

I committed the fix into trunk on 20th Oct, 2015 but forgot to mark as resolved.

Generated at Sat Feb 27 04:18:58 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.