Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-2885

session SDK REST call to /users?_fields does not handle 404/400 as a valid rest/user json response



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    •, 5.7.0
    • Web Agents


      When AM does not have a user profile, which is a valid config option, then it may return 404 instead of empty json on the json/users call . If the datastore is badly configured a 400 may be sent.
      In SSO Only mode in Agent 4.1.0 it didn't have to process or query any attributes. 

      However in Agent 5 the Agent will subsequently exit status with a forbidden in this event:

      2019-08-12 10:13:08 GMT DEBUG [37e5034-5520-33dd-d50c-3059181ddce3]: (source/sdk_base.c:180) http request to openam.localtest.me:8080 GET /openam/json/realms/root/realms/testRealm/users/jeremy?_fields=Host,Attribute1,sunIdentityUserPassword,Attribute2,UserToken HTTP/1.1 
      Host: openam.localtest.me:8080 Cookie: iPlanetDirectoryPro=  9D5y6_lgNLfg4B4FxAKwa_xnopU.*AAJTSQACMDIAAlNLABxLY21EVHM2MnE1WWc4NDJFN2FTT0t2SlA4cDA9AAJTMQACMDE.*   
      User-Agent: OpenAM Web Agent/ 
      Accept: application/json Connection: Close 
      Content-Type: application/json; charset=UTF-8 
      Accept-API-Version: resource=3.0, protocol=1.0 
      2019-08-12 10:13:08 GMT DEBUG [37e5034-5520-33dd-d50c-3059181ddce3]: (source/sdk_base.c:222) http response 404 from openam.localtest.me:8080 X-Frame-Options: SAMEORIGIN Cache-Control: no-cache Content-API-Version: resource=3.0 Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Vary: Accept-Encoding Date: Wed, 12 Aug 2019 10:13:08 GMT Connection: close {"code":404,"reason":"Not Found","message":"Resource cannot be found."} 
      2019-08-12 10:13:08 GMT WARNING [37e5034-5520-33dd-d50c-3059181ddce3]: error fetching session data unknown system error (404) 
      2019-08-12 10:13:08 GMT DEBUG [37e5034-5520-33dd-d50c-3059181ddce3]: (source/apache/agent.c:286) set_user(): jeremy
      2019-08-12 10:13:08 GMT DEBUG [37e5034-5520-33dd-d50c-3059181ddce3]: (source/request.c:1978) handle_exit(): (entry status: forbidden) 
      2019-08-12 10:13:08 GMT DEBUG [37e5034-5520-33dd-d50c-3059181ddce3]: (source/request.c:2297) handle_exit(): status: forbidden 
      2019-08-12 10:13:08 GMT DEBUG [37e5034-5520-33dd-d50c-3059181ddce3]: (source/apache/agent.c:891) amagent_auth_handler(): exit status: forbidden (3)

      Previously, with Agent 4, to the old identity/xml/read endpoint, which are now deprecated, and so is PLL in Agent 5 (so reimplementing this is unfeasible) AM returned session information from sessionservice and had a predefined list of strings which when matched in all the exception output from the Java stack trace and processed that. 

      It feels like it something similar needs to implemented to accommodate for this use case.
      Whether or not IdRepo though, is a problem could be additionally investigated here. However for now the use case is valid. 

      Reproduce (i had agent in a SubRealm):

      • Sub-Realm: 3 Datastores (2nd Datastore has the Identity). 
      • Set User Profile to Required in Authentication Configuration in AM.
      • Pre-Authenticate (i.e have a cookie prior to hitting the agent - my ipdp setting is turned on). 
      • Access Protected Resource
      • Watch the User Call fail. 


        Issue Links



              alex.levin@forgerock.com Alex Levin
              jeremy.cocks Jeremy Cocks
              0 Vote for this issue
              6 Start watching this issue