[OPENAM-9940]  OpenID Authorization Code Flow fails to get sessionID from request in 12.0.4 Created: 01/Nov/16  Updated: 12/Apr/17  Resolved: 04/Nov/16

Status: Resolved
Project: OpenAM
Component/s: oauth2
Affects Version/s: 12.0.4
Fix Version/s: 12.0.5

Type: Bug Priority: Major
Reporter: Jonathan Thomas Assignee: Jonathan Thomas
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to OPENAM-6160 auth_time is updated when refreshing ... Resolved
Target Version/s:
Sprint: AM Sustaining Sprint 30
Support Ticket IDs:

 Description   

Steps to reproduce using tomcat 7 OpenAM 12.0.4
This does not affect 12.0.3 or 13.0.0 and 13.5.0

1) Configure Oauth provider using common tasks and create a Oauth2 agent - specifying OpenID scope.

2) Make authorization request to get Authorization code

http://openam.example.com:8080/openam/oauth2/authorize?response_type=code&scope=openid&client_id=myoauthclient&redirect_uri=https%3A%2F%2Fwww.google.co.uk

3) Click allow on consent page and copy auth code.
4) Use auth code to request access token using curl

curl -X POST --user "myoauthclient:password" -H "Cache-Control: no-cache" -d 'grant_type=authorization_code&code=a..13&redirect_uri=https%3A%2F%2Fwww.google.co.uk' http://openam.example.com:8080/openam/oauth2/access_token

Expected result:
Access code is returned

Observed result:
The server returns the following error

400 Bad Request 
{"error_description":"User must be authenticated to issue ID tokens.","error":"server_error"}
  • in the log
message: User must be authenticated to issue ID tokens. 
stack trace: 
org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired: The request requires a redirect. 
at org.forgerock.openam.oauth2.OpenAMResourceOwnerSessionValidator.authenticationRequired(OpenAMResourceOwnerSessionValidator.java:282)
at org.forgerock.openam.oauth2.OpenAMResourceOwnerSessionValidator.validate(OpenAMResourceOwnerSessionValidator.java:190) 
at org.forgerock.openidconnect.OpenIDTokenIssuer.issueToken(OpenIDTokenIssuer.java:81) 
at org.forgerock.openam.oauth2.OpenAMScopeValidator.additionalDataToReturnFromTokenEndpoint(OpenAMScopeValidator.java:323) 
at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.additionalDataToReturnFromTokenEndpoint(OpenAMOAuth2ProviderSettings.java:453) 
at org.forgerock.oauth2.core.AuthorizationCodeGrantTypeHandler.handle(AuthorizationCodeGrantTypeHandler.java:146) 
at org.forgerock.oauth2.core.AccessTokenServiceImpl.requestAccessToken(AccessTokenServiceImpl.java:88) 
at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:79) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) 
at java.lang.reflect.Method.invoke(Unknown Source) 


 Comments   
Comment by Jonathan Thomas [ 01/Nov/16 ]

The OpenAMResourceOwnerSessionValidator.getResourceOwnerSession() method needs extra call to get the sessionID from the request as when getting the token - as per 13.5.0.

    try {
            if (token == null) {
                token = ssoTokenManager.createSSOToken(request.getSession());
            }
        } catch (SSOException e) {
            logger.warning("Error authenticating user against OpenAM: ", e);
        }
Comment by Jonathan Thomas [ 01/Nov/16 ]

Backport where session validate for OpenID was introduced.

Generated at Wed Nov 25 08:59:38 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.