Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10013

HOTP session upgrade not possible in XUI if the wrong code is entered first time

    Details

    • Sprint:
      AM Sustaining Sprint 36, AM Sustaining Sprint 37, AM Sustaining Sprint 38, AM Sustaining Sprint 39, AM Sustaining Sprint 40, AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 43
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      If trying to use HOTP with session upgrade, it's impossible to complete authentication if the OTP is entered incorrectly first time and 'Request OTP' is not used.

      1. Configure chain 'ds' with a single DataStore module.
      2. Configure chain 'otp' with a single HOTP module and enable 'Auto Send OTP'.
      3. Authenticate with ?service=ds
      4. Authenticate with ?service=otp (session upgrade).
      5. Enter in the wrong code and get 'Authentication failed'.
      6. Enter the correct code.

      Expected result:
      Either step 6 should allow authentication or should handle sending a fresh OTP and informing the user they can't use the old one.

      Actual result:
      Step 6 results in 'Authentication failed' and a fresh OTP is sent.
      Entering the fresh OTP still results in failed authentication.

      It appears each new 'Submit' will cause two REST calls in quick succession:

      • A call to json/authenticate using sessionUpgradeSSOTokenId. This causes a new OTP to be sent.
      • Another call to json/authenticate submitting callbacks with the 'old' OTP entered in the UI.

      Workaround:
      Use 'Request OTP' to send a fresh OTP.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                andrew.dunn Andrew Dunn [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: