[OPENAM-8270] Using client_credentials Grant type with openid scope returns User must be authenticated to issue ID tokens. Created: 03/Feb/16  Updated: 30/Oct/17  Resolved: 05/Jul/17

Status: Resolved
Project: OpenAM
Component/s: OpenID Connect
Affects Version/s: 13.0.0
Fix Version/s: 13.5.0, 14.1.1, 14.5.0

Type: Bug Priority: Major
Reporter: Joe Starling Assignee: Quentin CASTEL [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: EDISON, test-candidate
Remaining Estimate: 1h
Time Spent: 2h
Original Estimate: 3h

Attachments: HTML File OAuth2Provider    
Issue Links:
Relates
is related to OPENAM-7170 Password grant type can't be used wit... Resolved
Target Version/s:
Sprint: AM Sustaining Sprint 16, AM Sustaining Sprint 17, AM Sustaining Sprint 41
Story Points: 2
Support Ticket IDs:
Verified Version/s:

 Description   

Set up an OpenID environment

Send the following request:

curl -X POST -d 'grant_type=client_credentials&scope=openid&client_id=MyClientId&client_secret=password' "http://openam.example.com:58080/openam/oauth2/access_token" -v

Returns

{"error":"server_error","error_description":"User must be authenticated to issue ID tokens."}

OAuth2Provider debug:

WARNING: Error authenticating user against OpenAM:
com.iplanet.sso.SSOException: Invalid session ID.
at com.iplanet.sso.providers.dpro.SSOProviderImpl.createSSOToken(SSOProviderImpl.java:131)
at com.iplanet.sso.SSOTokenManager.createSSOToken(SSOTokenManager.java:296)
at org.forgerock.openam.oauth2.OpenAMResourceOwnerSessionValidator.validate(OpenAMResourceOwnerSessionValidator.java:141)
at org.forgerock.openidconnect.OpenIDTokenIssuer.issueToken(OpenIDTokenIssuer.java:82)
at org.forgerock.openam.oauth2.OpenAMScopeValidator.additionalDataToReturnFromTokenEndpoint(OpenAMScopeValidator.java:454)
at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.additionalDataToReturnFromTokenEndpoint(OpenAMOAuth2ProviderSettings.java:469)
at org.forgerock.oauth2.core.ClientCredentialsGrantTypeHandler.handle(ClientCredentialsGrantTypeHandler.java:84)
at org.forgerock.oauth2.core.GrantTypeHandler.handle(GrantTypeHandler.java:82)
at org.forgerock.oauth2.core.AccessTokenServiceImpl.requestAccessToken(AccessTokenServiceImpl.java:92)
at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:87)
at sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

Using other scopes (profile) works correctly and get expected output:

{"scope":"profile","expires_in":3599,"token_type":"Bearer","access_token":"db85e5ee-4134-451b-b5cb-e93d00dbd371"}

Using different Grant types for the openid scope works as expected.

Debug attached.



 Comments   
Comment by himanshu jain [X] (Inactive) [ 21/Apr/16 ]

Hi,

What is the status of this issue? I tried using 14.0.0-snapshot but still it was not working at all. It was giving some other issue. I am trying to use client_credentials oauth2 flow.

Thanks
HImanshu

Comment by Quentin CASTEL [X] (Inactive) [ 30/Jun/17 ]

Re-opening as in 14, it's apparently broken again.

 

Note that at the time I fixed it in 13.5.0, this version was the current master. It's a regression introduced on master since 13.5.0 release

Comment by Ľubomír Mlích [ 07/Jul/17 ]

Verified in 14.1.1-RC1

Generated at Mon Sep 28 05:58:20 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.