New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Userinfo can't be contacted with access_token issued during resource owner creds grant flow if redirect_uri is not specified for the client #800

Open
aliaksander-samuseu opened this Issue May 2, 2018 · 1 comment

Comments

Projects
None yet
4 participants
@aliaksander-samuseu
Contributor

aliaksander-samuseu commented May 2, 2018

Environment:

CentOS 6.9, gluu-server-3.1.3-1-2.RC6.centos6

Steps to reproduce:

  1. Login to web UI as admin user and create an OIDC client's registration with properties similar to provided in the LDIF dump below; at least "openid" scope must be attached to it; do not specify any redirect_uri:
dn: inum=@!84B1.7441.57C3.98B0!0001!76A2.0919!0008!FF8A.1302.AA6B.D976,ou=clients,o=@!84B1.7441.57C3.98B0!0001!76A2.0919,o=gluu
objectClass: oxAuthClient
objectClass: top
oxAuthLogoutSessionRequired: false
oxAuthScope: inum=@!84B1.7441.57C3.98B0!0001!76A2.0919!0009!764C,ou=scopes,o=@!84B1.7441.57C3.98B0!0001!76A2.0919,o=gluu
oxAuthScope: inum=@!84B1.7441.57C3.98B0!0001!76A2.0919!0009!F0C4,ou=scopes,o=@!84B1.7441.57C3.98B0!0001!76A2.0919,o=gluu
oxAuthTrustedClient: false
oxAuthTokenEndpointAuthMethod: client_secret_basic
oxPersistClientAuthorizations: false
oxAuthGrantType: password
inum: @!84B1.7441.57C3.98B0!0001!76A2.0919!0008!FF8A.1302.AA6B.D976
oxAuthAppType: web
oxDisabled: false
oxIncludeClaimsInIdToken: false
oxLastLogonTime: 20180501201654.838Z
displayName: test-client-user-creds-grants
oxAuthClientSecret: WB1fIGz3IvtHrJF9yu7Hqg==
oxAuthSubjectType: pairwise
oxLastAccessTime: 20180501201654.838Z
description: AAAA
  1. Follow resource owner's credentials grant's flow to acquire access_token; next request can be used as example:
POST /oxauth/restv1/token HTTP/1.1
Host: mytrue.host.loc
Content-Type: application/x-www-form-urlencoded
Authorization: Basic QCE4NEIxLjc0NDEuNTdDMy45OEIwITAwMDEhNzZBMi4wOTE5ITAwMDghRkY4QS4xMzAyLkFBNkIuRDk3NjoxcTJ3M2U0cg==
Cache-Control: no-cache
Content-Length: 110

grant_type=password&&username=admin&password=1q2w3e4r&scope=openid+profile+email+username
  1. Get user's claims from userinfo endpoint with it; next request can be used as example:
GET /oxauth/restv1/userinfo HTTP/1.1
Host: mytrue.host.loc
Authorization: Bearer c18ceb9a-5dcf-4979-bda0-2cb2632a7b0f

Result:
On step 2) only access_token is issued. At the same time error is registered in oxauth.log (full text is here):

2018-05-02 17:53:40,113 INFO  [qtp1744347043-18] [org.xdi.oxauth.auth.Authenticator] (Authenticator.java:217) - Authentication success for Client: '@!84B1.7441.57C3.98B0!0001!76A2.0919!0008!FF8A.1302.AA6B.D976'
2018-05-02 17:53:40,136 ERROR [qtp1744347043-18] [org.xdi.oxauth.model.common.AuthorizationGrant] (AuthorizationGrant.java:187) - null
java.lang.NullPointerException: null
	at org.xdi.oxauth.model.token.IdTokenFactory.generateSignedIdToken(IdTokenFactory.java:253) ~[classes/:?]
	at org.xdi.oxauth.model.token.IdTokenFactory.createJwr(IdTokenFactory.java:511) ~[classes/:?]

...

	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320]
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:754) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:672) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]

In case if redirect_uri is specified for this client in this flow, id_token is also issued, and no errors are registered in logs

On step 3) 500 server internal error response is returned. At the same time error is registered in oxauth.log (full text is here):

2018-05-02 17:54:01,244 ERROR [qtp1744347043-12] [xdi.oxauth.userinfo.ws.rs.UserInfoRestWebServiceImpl] (UserInfoRestWebServiceImpl.java:207) - null
java.lang.NullPointerException: null
	at org.xdi.oxauth.userinfo.ws.rs.UserInfoRestWebServiceImpl.getJSonResponse(UserInfoRestWebServiceImpl.java:620) ~[classes/:?]
	at org.xdi.oxauth.userinfo.ws.rs.UserInfoRestWebServiceImpl.requestUserInfo(UserInfoRestWebServiceImpl.java:187) [classes/:?]
	at org.xdi.oxauth.userinfo.ws.rs.UserInfoRestWebServiceImpl.requestUserInfoGet(UserInfoRestWebServiceImpl.java:113) [classes/:?]

...

0.jar:9.4.9.v20180320]
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:754) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:672) [jetty-util-9.4.9.v20180320.jar:9.4.9.v20180320]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]

In case if redirect_uri is specified for this client in this flow, claims are returned successfully.

Expected results:
As redirect_uri is not used in this flow, it shouldn't be a mandatory item for it to work, as it may confuse an user.

@aliaksander-samuseu aliaksander-samuseu added this to the 3.1.4 milestone May 2, 2018

@aliaksander-samuseu aliaksander-samuseu assigned yuriyz and qbert2k and unassigned yuriyz May 2, 2018

@nynymike

This comment has been minimized.

Contributor

nynymike commented Jul 2, 2018

I would not say this is a bug. RO password credential grant is not a supported Openid Connect grant type, so it makes sense you can't call Userinfo. Maybe it's ok... need to discuss this further. But it's not a priority because this is the anti-pattern.

@nynymike nynymike modified the milestones: 3.1.4, 4.0 Jul 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment