-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0
-
Component/s: authentication, oauth2
-
Labels:
-
Sprint:AM Sustaining Sprint 43
-
Story Points:5
-
Needs backport:Yes
-
Support Ticket IDs:
Bug description
A user remains stuck on an XUI 'Loading' page when using the 'OAuth2.0/OIDC' auth module if the authId token is allowed to expire before they submit their credentials on a remote IDP which then redirects back to AM.
How to reproduce the issue (Google can be used to test)
1. Go to https://console.developers.google.com
2. Create a project and set the redirect uri to be http://am.fqdn:port/am/oauth2c/OAuthProxy.jsp
3. Find the project's client ID and client secret
4. In AM create an OAuth 2/OIDC authentication module using information from step 3.
- client id and secret
- Authn endpoint URL: https://accounts.google.com/o/oauth2/v2/auth
- Access token endpoint URL:https://www.googleapis.com/oauth2/v4/token
- User Profile service URL: https://www.googleapis.com/oauth2/v3/userinfo
- Scope: openid email profile
- Proxy URL: default - same as used for redirect URL when creating the Google project eg .../OAuthProxy.jsp
- Account mapper config: email=mail
- Attribute mapper config: email=mail
- OpenID connect validation config type: jwk_url
- OpenID Connect validation configuration value: https://www.googleapis.com/oauth2/v3/certs
- Token Issuer: https://accounts.google.com
5. Create user in OpenAM with same email as user you are logging to google.
To test:
- Request http://am.example.com:port/am/XUI/&module=oauth2#login (or simply set the module to be the default for the organisation). The redirect to Google will take place as expected.
- Allow the authId token to expire and then enter the user credentials.
- The user is redirected back to AM as expected but remains on a 'Loading' page rather than the profile being displayed as would be expected in this particular test.
Expected behaviour
In this particular test the user profile should be displayed.
Current behaviour
Currently after the redirect back to AM the user remains on a page in the XUI with 'Loading' in the top left corner.
Work arounds
1. Consider adjusting the timeout in /<openam_webapp>/config/auth/default_xx/OAuth.xml and also the 'Invalidate Session Max Time' setting although the behaviour would remain if this increased value was exceeded.
Reference: https://backstage.forgerock.com/knowledge/kb/article/a23597700
2. Clear the cookies in the browser and try again.
- is related to
-
OPENAM-12009 Unknown error in Oauth2/OIDC when user is not created
-
- Open
-
- relates to
-
OPENAM-11391 Requesting 'OAuth2.0/OIDC' auth module a second time results in display of AM's "Authentication Failed" page
-
- Resolved
-