Signed PAR Request does not support claims as a JSON Object

nirving · October 23, 2022, 1:38am

Afternoon,
I have a Signed PAR Request as follows

{
  "iat": 1666488033,
  "nbf": 1666488033,
  "exp": 1666488638,
  "jti": "1be-9mC5GGe0TVkNh-fpn",
  "aud": "https://xxxx/openam/oauth2",
  "iss": "xxxx",
  "scope": "openid",
  "code_challenge": "A73kot8LXGRkZWwGkZhsKv7VxYmsjErfxIL0bmkVjEo",
  "code_challenge_method": "S256",
  "claims": {
    "id_token": {
      "auth_time": {
        "essential": true
      },
      "given_name": {
        "essential": true
      },
      "acr": {
        "essential": true,
        "values": [
          "urn:australia:digitalid:undefined"
        ]
      }
    }
  },
  "response_type": "code id_token",
  "redirect_uri": "http://localhost:8080/code",
  "state": "11a45522-036f-424e-84cd-fbf5a8952ce6",
  "nonce": "11a45522-036f-424e-84cd-fbf5a8952ce6",
  "client_id": "xxxxx"
}

This returns an error of

{
    "error_description": "class java.util.LinkedHashMap cannot be cast to class java.lang.String (java.util.LinkedHashMap and java.lang.String are in module java.base of loader 'bootstrap')",
    "error": "server_error"
}

If I convert the claims into a JSON String

  "claims": "{\"id_token\":{\"auth_time\":{\"essential\":true},\"given_name\":{\"essential\":true},\"acr\":{\"essential\":true,\"values\":[\"urn:australia:digitalid:undefined\"]}}}",

Then the error goes away and I can continue with the next part of the puzzle.

My quesiton is why do I have to convert it into a string?

I am guessing that because I would need to if I was not a making a Signed PAR Object, as that would be on the URI and would need to be a string.

How do I raise a defect on this, as an outside of ForgeRock Support?

Regards
Nicholas

nirving · October 23, 2022, 2:05am

If I convert to not using PAR then it works

curl --location --request GET 'https://xxxxx/openam/oauth2/authorize?client_id=xxxxx&request=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjEyMzQ1NiJ9.eyJpYXQiOjE2NjY0OTA2NjgsIm5iZiI6MTY2NjQ5MDY2OCwiZXhwIjoxNjY2NDkxMjczLCJqdGkiOiJ4bmg4Y1hjN3Vid1g4TjlocU1xWDgiLCJhdWQiOiJodHRwczovL3h4eHh4L29wZW5hbS9vYXV0aDIiLCJpc3MiOiJ4eHh4eCIsInNjb3BlIjoib3BlbmlkIiwiY2xhaW1zIjp7ImlkX3Rva2VuIjp7ImF1dGhfdGltZSI6eyJlc3NlbnRpYWwiOnRydWV9LCJnaXZlbl9uYW1lIjp7ImVzc2VudGlhbCI6dHJ1ZX0sImFjciI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlcyI6WyJ1cm46YXVzdHJhbGlhOmRpZ2l0YWxpZDp1bmRlZmluZWQiXX19fSwicmVzcG9uc2VfdHlwZSI6ImNvZGUgaWRfdG9rZW4iLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvY29kZSIsInN0YXRlIjoiMTFhNDU1MjItMDM2Zi00MjRlLTg0Y2QtZmJmNWE4OTUyY2U2Iiwibm9uY2UiOiIxMWE0NTUyMi0wMzZmLTQyNGUtODRjZC1mYmY1YTg5NTJjZTYiLCJjbGllbnRfaWQiOiJ4eHh4eCJ9.kggYh83ZEg3RnNQI1iCnA13DWUPWZmeaOcYuZePtpd4-XENSwuLUNHiSlUFhVggdaKPHVKnXZFXciD56DI4i51fRdx926oJ34M4Qv-pSXNvYnXhOtXKwirTq5V06mfwLSNQhc6cZTfHrXkLdI-n6lQWER5jksyOBPMsy5VBMs2o20bFsWyfLFM6RDZpMXSdhaNjySVb-GXkWxIrvT-s_h7i6-ozWf0FEiuBz3W4K8xIsSVS1UHG7dJZp598bSDgogtjD8PpmRnxtuzyqfD4rbiXpkiDgWCtiwYPhohr8cY8Wxb3Kf_H6GO5CJ271znt_gazq48y_OMerSHY1N2Em-A&response_type=code id_token&state=11a45522-036f-424e-84cd-fbf5a8952ce6&nonce=11a45522-036f-424e-84cd-fbf5a8952ce6&redirect_uri=http://localhost:8080/code&scope=openid'

Same request object, istrad claims in a JSON Object instead of a string.

{
  "iat": 1666490668,
  "nbf": 1666490668,
  "exp": 1666491273,
  "jti": "xnh8cXc7ubwX8N9hqMqX8",
  "aud": "https://xxxxx/openam/oauth2",
  "iss": "xxxxx",
  "scope": "openid",
  "claims": {
    "id_token": {
      "auth_time": {
        "essential": true
      },
      "given_name": {
        "essential": true
      },
      "acr": {
        "essential": true,
        "values": [
          "urn:australia:digitalid:undefined"
        ]
      }
    }
  },
  "response_type": "code id_token",
  "redirect_uri": "http://localhost:8080/code",
  "state": "11a45522-036f-424e-84cd-fbf5a8952ce6",
  "nonce": "11a45522-036f-424e-84cd-fbf5a8952ce6",
  "client_id": "xxxxx"
}

salbertelli01 · October 31, 2022, 8:02pm

Hi @nirving,

I’m checking into your inquiry with our internal teams and will follow up with you here as soon I have the details.

TIA,
Sheila

salbertelli01 · November 8, 2022, 6:53pm

Hi @nirving,

The issue with the /par endpoint not returning a request_uri when using claims as JSON object is resolved in OPENAM-19726.

As I understand, OPENAM-19726 will be included in AM 7.2.1. and AM 7.3 releases.

AM 7.2.1 is expected to be released by the end of the year. The estimation timeline is subject to clearing QA and internal testing.

I hope this helps!

Thank you,

Sheila