Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Realm parameter not included when using sub-realm without DNS alias #14

Open
lawrenceyfr opened this issue Feb 20, 2018 · 0 comments
Open

Comments

@lawrenceyfr
Copy link

Description
Error 'Client authentication failed' when using openid sample application, with an AM sub-realm and not using sub-realm's dns alias (or no sub-realm dns alias).

Steps to reproduce:

  1. Deploy AM instance.
  2. Deploy openid sample from https://github.com/ForgeRock/openid
  3. Create a sub-realm, subscribers. Define a dns alias for the realm, e.g. subscribers.amtest2.com
  4. Create a test user account, e.g. testuser1. Can also do this using a separate data store if desired.
  5. Configure common.js of openid to point to AM app context, to use a sub-realm of subscribers and relevant client_id and client_secret.
  6. Using base url of site (top level realm url e.g. openam.amtest2.com) navigate to home page of openid (/openid), and select 'Try the Basic Client Profile'. Review the settings towards the bottom of the page.
  7. From dashboard of subscribers realm, create an OpenID Connect Provider. Leave settings as default.
  8. Create an application -> OAuth2 Client with client_id of e.g. testoauth, secret, redirection uri matching that in openid settings above.
  9. Leave OAuth2 client settings for ID Token Signed Response Algorithm as default values (these do not have a bearing on this test).
  10. Using openid application, click 'Start authorisation' at the bottom of the page. Login as testuser1. Click to allow authorization. See an error message containing the following information:
  11. Error obtaining access token:
  12. { "readyState": 4, "responseText": "{"error_description":"Client authentication failed","error":"invalid_client"}", "responseJSON": { "error_description": "Client authentication failed", "error": "invalid_client" }, "status": 401, "statusText": "Unauthorized" }
  13. Repeat, but navigating to the openid application using the subscribers dns alias, e.g. subscribers.amtest2.com/openid. Repeat step 10. Now see a final page that indicates successful OAuth2 authorisation and details of received token are displayed.

Investigation
Looks as though the realm name is not passed through on the POST request, as a result AM attempts to find the OIDC client id (testoauth) in the top level realm, not the sub-realm, and fails.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

1 participant