[OPENAM-11789] User remains on 'Loading' page with 'OAuth2.0/OIDC' auth module if authId token expires before entering credentials - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0
Fix Version/s: 13.5.2, 6.0.0, 14.1.2, 5.5.2
Component/s: authentication, oauth2
Labels:
- EDISON

Target Version/s:

13.5.2, 14.5.1, 6.0.0, 14.1.2

Sprint:
AM Sustaining Sprint 43
Story Points:
5
Needs backport:

Yes

Support Ticket IDs:

Verified Version/s:

13.5.2, 14.1.2
Needs QA verification:

Yes
Functional tests:

No
Are the reproduction steps defined?:

Yes and I used the same an in the description

Description

Bug description

A user remains stuck on an XUI 'Loading' page when using the 'OAuth2.0/OIDC' auth module if the authId token is allowed to expire before they submit their credentials on a remote IDP which then redirects back to AM.

How to reproduce the issue (Google can be used to test)

1. Go to https://console.developers.google.com
2. Create a project and set the redirect uri to be http://am.fqdn:port/am/oauth2c/OAuthProxy.jsp
3. Find the project's client ID and client secret
4. In AM create an OAuth 2/OIDC authentication module using information from step 3.

client id and secret
Authn endpoint URL: https://accounts.google.com/o/oauth2/v2/auth
Access token endpoint URL:https://www.googleapis.com/oauth2/v4/token
User Profile service URL: https://www.googleapis.com/oauth2/v3/userinfo
Scope: openid email profile
Proxy URL: default - same as used for redirect URL when creating the Google project eg .../OAuthProxy.jsp
Account mapper config: email=mail
Attribute mapper config: email=mail
OpenID connect validation config type: jwk_url
OpenID Connect validation configuration value: https://www.googleapis.com/oauth2/v3/certs
Token Issuer: https://accounts.google.com

5. Create user in OpenAM with same email as user you are logging to google.

To test:

Request http://am.example.com:port/am/XUI/&module=oauth2#login (or simply set the module to be the default for the organisation). The redirect to Google will take place as expected.
Allow the authId token to expire and then enter the user credentials.
The user is redirected back to AM as expected but remains on a 'Loading' page rather than the profile being displayed as would be expected in this particular test.

Expected behaviour

In this particular test the user profile should be displayed.

Current behaviour

Currently after the redirect back to AM the user remains on a page in the XUI with 'Loading' in the top left corner.

Work arounds

1. Consider adjusting the timeout in /<openam_webapp>/config/auth/default_xx/OAuth.xml and also the 'Invalidate Session Max Time' setting although the behaviour would remain if this increased value was exceeded.

Reference: https://backstage.forgerock.com/knowledge/kb/article/a23597700

2. Clear the cookies in the browser and try again.

Attachments

Issue Links

is related to

OPENAM-12009 Unknown error in Oauth2/OIDC when user is not created

Open

relates to

OPENAM-11391 Requesting 'OAuth2.0/OIDC' auth module a second time results in display of AM's "Authentication Failed" page

Resolved

Activity

People

Assignee:

Adam Heath

Reporter:

Andy Itter

Votes:

0 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

19/Sep/17 8:37 PM

Updated:

11/Oct/18 2:11 PM

Resolved:

29/Sep/17 10:23 AM