Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-8271

3scale is not capable to have 2 different Applications with the same clientID, even in different RH-SSO Realms: it doesn't store the secrets accordingly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • SaaS, 2.13.7, 2.14.1 GA
    • System
    • False
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Hide

      Pre requisites:

      • 3scale with 2 different products: Product A and Product B (the Backend they're pointing to is not relevant to reproduce this issue)
      • Both Products have RH-SSO Integration configured
      • 2 Realms on RH-SSO: realm-a and realm-b
      • Product A has realm-a configured as its OIDC configuration
      • Product B has realm-b configured as its OIDC configuration

      Steps:

      1. Create a new application for Product A with 3Scale API Application Create operation on API Docs.
        1. Set application_id = "sso-client-sync-test" and application_key = "secretA".
      2. Confirm that client with id "sso-client-sync-test" is created in realm-a and for Product A
      3. Confirm that the client has secret set as "secretA"
      4. Create a new application for product B with 3Scale API Application Create operation on API Docs.
        1. Set application_id = "sso-client-sync-test" and application_key = "secretB"
      5. Confirm that client with id "sso-client-sync-test" is created in realm-b and for Product B
      6. Confirm that the client has secret set as "secretA"
      7. Note that on step 6, the expected behavior would be to find secret as "secretB"

       

      Show
      Pre requisites: 3scale with 2 different products: Product A and Product B (the Backend they're pointing to is not relevant to reproduce this issue) Both Products have RH-SSO Integration configured 2 Realms on RH-SSO: realm-a and realm-b Product A has realm-a configured as its OIDC configuration Product B has realm-b configured as its OIDC configuration Steps: Create a new application for Product A with 3Scale API Application Create operation on API Docs. Set application_id = "sso-client-sync-test" and application_key = "secretA". Confirm that client with id "sso-client-sync-test" is created in realm-a and for Product A Confirm that the client has secret set as "secretA" Create a new application for product B with 3Scale API Application Create operation on API Docs. Set application_id = "sso-client-sync-test" and application_key = "secretB" Confirm that client with id "sso-client-sync-test" is created in realm-b and for Product B Confirm that the client has secret set as "secretA" Note that on step 6, the expected behavior would be to find secret as "secretB"  

      3scale doesn't support 2 different applications on different SSO realms with the same clientID, but with different secrets:

      • Creating 2 different Applications 
      • for 2 different Products 
      • with 2 different Secrets 
      • but with the same clientID 
      • using API Docs (Create Application endpoint)

      In this scenario, after creating the 2nd application, the client credentials on RH-SSO shows the same secret from the 1st application. 

       

      Observations: 

      • We have detected on zync pod --> zync_production database --> clients table:
        • Two records with the same client_id value ("sso-client-sync-test") and different id values [it seems to be correct and obeying clients table PK (id, client_id)]
      • We have detected on system-mysql pod --> system database --> application_keys table:
        • One record with "secretA" for field value [with the application_id FK field pointing to the correct id of the cinstances table (it also seems to be correct)]
        • One record with "secretB" for field value [with the application_id FK field pointing to the correct if of the cinstances table (it also seems to be correct)]

      Additional Scenario: 3scale overrides the value of the client in the incorrect realm

      • Create ProductA connected to RealmA
      • Create ProductB connected to RealmB
      • Create an application in ProductA
      • Create an application in ProductB using API Docs (Create Application endpoint) with the same clientID and clientSecret but different name and description

      In the scenario, after creating the second application (ProductB), the name and description of the client in RealmA may be overridden with the new values which should have been written to RealmB

        1. screenshot.png
          screenshot.png
          108 kB

              Unassigned Unassigned
              ramoreir@redhat.com Raphael Magno Moreira Morsch
              Daria Mayorova Daria Mayorova
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: