setAmrClaim() in IdTokenFactory.java only allows scripts with usage type of "Both methods", instead of allowing scripts of any type
By: Anise Ghorbani user 29 Jun 2017 at 5:59 p.m. CDT
(Copied from GitHub, submitted here as suggested by William)
After a few hours of headache, I think I found some code with unintentional behavior.
While trying to use getAuthenticationMethodClaims() to pass back some amr values in id tokens, I realized why my custom authentication script was returning an empty JSON for the amr field ("amr":"[]").
In IdTokenFactory.java, the following line is in setAmrClaim:
CustomScriptConfiguration script = externalAuthenticationService.getCustomScriptConfiguration(
AuthenticationScriptUsageType.BOTH, acrValues);
Due to the usage of AuthenticationScriptUsageType.BOTH, "script" is set to null unless the usage type of your custom authentication script is set to "Both methods". I think the intention was to check for scripts of any usage type (Web, Native, or Both methods) corresponding to "acrValues", but the current code only accepts scripts that are specifically set to "Both methods". After changing the usage type of my script from "Web" to "Both methods", everything now works as intended (properly getting the amr field in id tokens), but this shouldn't be necessary (future users will run into the same issue if using "Web" or "Native" usage types).
Answers
By William Lowe user 30 Jun 2017 at 9:18 a.m. CDT
It seems like this is a bug, and Anise has been kind enough to already report it on GitHub.
Let's get this patched and included in a new release as soon as possible.
By Anise Ghorbani user 03 Jul 2017 at 7:11 p.m. CDT
I want to go ahead and change that line (for now, simply changing '.BOTH' to '.INTERACTIVE') so I can continue development on my project (changing my custom script usage type from 'Web' to 'Both methods' is causing other things to break). Is there any documentation on the best way to accomplish this? Do I need to compile the entire Gluu Server from scratch after changing this one line, or is there a better way? I currently have 3.0.2 CE installed on Ubuntu 14.04, will I have to uninstall that or is there any way to modify it? Thanks.
By Yuriy Movchan staff 06 Jul 2017 at 11:58 a.m. CDT
Hi Anise,
Thank you for information about this issue. I fixed it in 3.1.0:
Also I merged it into 3.0.3 branch.
We are not planning to release 3.0.3. The best way for you to get it is:
- Log into CE
- Stop oxauth service
- Put new oxauth.war into: /opt/gluu/jetty/oxauth/webapps
- Start oxauth service
Here is 3.0.3 oxauth.war
By Anise Ghorbani user 07 Jul 2017 at 11:56 a.m. CDT
Great, thank you!
Post an answer
Warning
I have detected that you have been inactive for 10 minutes.
I got sleepy so I've taken a nap!
