search

ForgeRock / openid

Trying OpenAM's OpenID Connect 1.0 features
23 stars 15 forks source link

Realm parameter not included when using sub-realm without DNS alias #14

Open lawrenceyfr opened 6 years ago

lawrenceyfr commented 6 years ago

Description Error 'Client authentication failed' when using openid sample application, with an AM sub-realm and not using sub-realm's dns alias (or no sub-realm dns alias).

Steps to reproduce:

  1. Deploy AM instance.
  2. Deploy openid sample from https://github.com/ForgeRock/openid
  3. Create a sub-realm, subscribers. Define a dns alias for the realm, e.g. subscribers.amtest2.com
  4. Create a test user account, e.g. testuser1. Can also do this using a separate data store if desired.
  5. Configure common.js of openid to point to AM app context, to use a sub-realm of subscribers and relevant client_id and client_secret.
  6. Using base url of site (top level realm url e.g. openam.amtest2.com) navigate to home page of openid (/openid), and select 'Try the Basic Client Profile'. Review the settings towards the bottom of the page.
  7. From dashboard of subscribers realm, create an OpenID Connect Provider. Leave settings as default.
  8. Create an application -> OAuth2 Client with client_id of e.g. testoauth, secret, redirection uri matching that in openid settings above.
  9. Leave OAuth2 client settings for ID Token Signed Response Algorithm as default values (these do not have a bearing on this test).
  10. Using openid application, click 'Start authorisation' at the bottom of the page. Login as testuser1. Click to allow authorization. See an error message containing the following information:
  11. Error obtaining access token:
  12. { "readyState": 4, "responseText": "{\"error_description\":\"Client authentication failed\",\"error\":\"invalid_client\"}", "responseJSON": { "error_description": "Client authentication failed", "error": "invalid_client" }, "status": 401, "statusText": "Unauthorized" }
  13. Repeat, but navigating to the openid application using the subscribers dns alias, e.g. subscribers.amtest2.com/openid. Repeat step 10. Now see a final page that indicates successful OAuth2 authorisation and details of received token are displayed.

Investigation Looks as though the realm name is not passed through on the POST request, as a result AM attempts to find the OIDC client id (testoauth) in the top level realm, not the sub-realm, and fails.