Comments (4)
maximthomas
commented on June 28, 2024
@martins1930, I've just created test with apache http client to reproduce your case and could not do it. Could you provide more details about your environment? (OpenAM version, JDK version, installation type, and so on...)
@Test
public void doTest() throws Exception {
String server = "http://test.openam.org.ru:8080/openam";
Set<String> tokens = new HashSet<>();
CloseableHttpClient httpclient = HttpClientBuilder.create().disableRedirectHandling().build();
//obtain tokens
for(int i = 0; i < 1000; i ++) {
HttpPost httpost = new HttpPost(server + "/oauth2/access_token");
List<NameValuePair> nvps = new ArrayList<NameValuePair>();
nvps.add(new BasicNameValuePair("client_secret", "foobar"));
nvps.add(new BasicNameValuePair("client_id", "foobar_client_id"));
nvps.add(new BasicNameValuePair("grant_type", "password"));
nvps.add(new BasicNameValuePair("username", "foouser"));
nvps.add(new BasicNameValuePair("password", "foopassword"));
nvps.add(new BasicNameValuePair("realm", "/"));
httpost.setEntity(new UrlEncodedFormEntity(nvps));
HttpResponse response = httpclient.execute(httpost);
String res=EntityUtils.toString(response.getEntity(),"UTF-8");
JSONObject jsonObject = new JSONObject(res);
String access_token = jsonObject.getString("access_token");
tokens.add(access_token);
System.err.println("obtained token: " + access_token);
}
//revoke tokens
for(String access_token: tokens) {
HttpPost httpost = new HttpPost(server + "/oauth2/token/revoke");
ArrayList<NameValuePair> nvps = new ArrayList<NameValuePair>();
nvps.add(new BasicNameValuePair("realm", "/"));
nvps.add(new BasicNameValuePair("token", access_token));
nvps.add(new BasicNameValuePair("client_secret", "foobar"));
nvps.add(new BasicNameValuePair("client_id", "foobar_client_id"));
httpost.setEntity(new UrlEncodedFormEntity(nvps));
HttpResponse response = httpclient.execute(httpost);
String res = EntityUtils.toString(response.getEntity(),"UTF-8");
JSONObject jsonObject = new JSONObject(res);
Assert.assertEquals(200, response.getStatusLine().getStatusCode());
System.err.println(access_token + " : " + response.getStatusLine() + ":" + jsonObject.toString());
}
}from openam.
martins1930
commented on June 28, 2024
hi @maximthomas ,
I'm using the version 14.1.4 , I installed the OpenAM using docker, below is the docker-compose.yml that I'm using:
openam:
image: openidentityplatform/openam:14.1.4
hostname: openam.example.com
ports:
- "8778:8080" I have configured the openam in the following way:
-
Click on the link "Create Default Configuration" that is shown in the image below:
-
Create the realm "Myrealm" as is shown in the image below:
-
In the "Realm Overview" page click on "Configure Oauth Provider" and then on "Configure Oauth2" and click on "Issue Refresh Token" as is shown in the image below:
-
Go to "Subjects" and create the user
[email protected]with the passwordfoobar1234. The following image shows how the user looks like:
-
Go to "Agents" -> "OAuth 2.0/OpenID Connect Client" and create a new agent with the name "MyAgent" as is shown in the image below:
-
In the list of agents click on the agent "MyAgent" and add the "cn" to
Scope(s),Claim(s)andDefault Scope(s)as is shown in the image below:
-
End of configuration.
Then to reproduce the bug execute this script:
#!/bin/bash
SERVER=http://openam.example.com:8778
CLIENT_SECRET=myagent1234
CLIENT_ID=myAgent
USERNAME=myuser%40foobar.com
PASSWORD=foobar1234
REALM=%2FMyrealm
for i in `seq 1 1000`;
do
echo "Starting test $i =================="
RESPONSE=$(curl -X "POST" "$SERVER/openam/oauth2/access_token?client_secret=$CLIENT_SECRET&client_id=$CLIENT_ID&grant_type=password&username=$USERNAME&password=$PASSWORD&realm=$REALM" \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' --silent)
TOKEN=$(echo "$RESPONSE" | perl -lane 'while (/."access_token":"(.*?)".*/g) {print $1}')
echo "The token from OpenAM is: $TOKEN"
REVOKE_RESPONSE_CODE=$(curl -X "POST" "$SERVER/openam/oauth2/token/revoke?realm=$REALM&token=$TOKEN&client_secret=$CLIENT_SECRET&client_id=$CLIENT_ID" \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' --write-out %{http_code} --silent --output /dev/null)
echo "The response code of the revoke is: $REVOKE_RESPONSE_CODE"
if [ "$REVOKE_RESPONSE_CODE" != "200" ]
then
echo "Error revoking the token."
exit 1
fi
done
Note that when I run the script with the CLIENT_ID with the value myAgent it thows random errors when revoke the token,
but when I set the CLIENT_ID with the value MyAgent it works fine,
therefore seems that the problem is due to a problem with the case sensitive on the parameter client_id in the revoke API ?
Regards,
Martin.
from openam.
maximthomas
commented on June 28, 2024
Hi, @martins1930
You are right, when openam revokes the token, it compares client_id associated with token inside OpenAM with client_id in reqest parameter. If they are not match, OpenAM throws error. client_id parameter due to rfc6749 - 1.9 should be case sensitive
from openam.
martins1930
commented on June 28, 2024
ok, thank you @maximthomas !
But I think It would be nice if OpenAM always return an error when the case doesn't match, because the random behaviour of the revoke API is confusing.
from openam.
Related Issues (20)
- IdCachedServicesImpl member cache may incorrectly cache member set upon login HOT 1
- RESTful User Self-Service APIs: Cannot find suitable translation from given choices
- Admin interface unresponsive after a few days HOT 8
- device flow refresh_token creation time 0
- Using docker buildx causes 500 level error HOT 4
- SessionConstraint may cause a hang HOT 4
- Configuring OpenID Connect may cause a hang if a token cannot be obtained by logging in dsamuser HOT 1
- ssoadm not working when using SSL connection to config store in Java 11 HOT 2
- About OAuth2.0 Redirection URIs "?" mark HOT 8
- Docker file issue HOT 4
- Building web policy agent from quistart guide is not working HOT 4
- Due to dependency of xmlsec-2.1.7 in the openam-federationCaused by: java.lang.AbstractMethodError HOT 1
- OAuth2 JWT Bearer Client Profile Flow fails with SHA256withRSA HOT 1
- Integration with Biometric APIs HOT 1
- Issue creating OpenAM install from config file HOT 2
- Version button brings up an error HOT 5
- Logging on with XUI gives User name/password combination is invalid. HOT 2
- Creating default configuration fails with fatal error: cannot obtain application SSO token HOT 1
- Privilege assignment to Group fails
- LDAP Authentication Page not fully translated in en_GB HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openam.