Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12421

Re-authentication/Session upgrade using ForceAuth broken when using Post Authentication Module

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 14.1.1, 5.5.1
    • Fix Version/s: None
    • Component/s: authentication
    • Labels:
    • Rank:
      1|hzv9xr:
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When a Post Authentication Plugin (I'm using the sample PAP), is configured as part of a chain, and using the ForceAuth parameter to force the user to re-authenticate, results in the first attempt at authentication fail with "unknown error, please contact your system administrator", but if the user presses the submit button again (using the same credentials still present on the form) the authentication succeeds.

      The PAP is just the sample PAP from https://backstage.forgerock.com/docs/am/5.5/authentication-guide/#sec-post-auth

      That sets a session property.

      How to reproduce the issue

      1. Compile the sample Post Authentication Plugin
      2. Deploy to /WEB-INF/lib
      3. Restart AM
      4. From the admin console, modify the ldapservice chain to add the post auth plugin (ensure you click the "+") then save. Note I have used a sub-realm of "customers".
      5. Authenticate to the realm using a valid user and verify presentation of the user profile page (http://id.example.com:8080/am/XUI/?realm=/customers&authIndexType=service&authIndexValue=ldapservice#login)
      6. Force Re-authentication using: http://id.example.com:8080/am/XUI/?realm=/customers&authIndexType=service&authIndexValue=ldapservice&ForceAuth=true#login
      Expected behaviour
      User should be re-authenticated and presented to the user profile page
      
      Current behaviour
      First authentication attempt fails with "unknown error, please contact your system administrator", but if the user presses the submit button again with the same credentials, the authentication succeeds.
      
      The Authentication debug shows login succeeding but seems to stop at the loading of the PAP:
      
      ModuleAuthTime = A+2018-02-09T10:40:36Z|c+2018-02-09T10:40:36Z|D+2018-02-09T10:40:36Z|LDAP+2018-02-09T10:43:10Z|e+2018-02-09T10:40:36Z|L+2018-02-09T10:40:36Z|m+2018-02-09T10:40:36Z|/+2018-02-09T10:40:36Z|o+2018-02-09T10:40:36Z|P+2018-02-09T10:40:36Z|r+2018-02-09T10:40:36Z|s+2018-02-09T10:40:36Z|t+2018-02-09T10:40:36Z|u+2018-02-09T10:40:36Z|:+2018-02-09T10:40:36Z
      amAuth:02/09/2018 11:43:10:739 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      is Application Module : false
      amAuth:02/09/2018 11:43:10:739 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      request: in setProperty stuff
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      Removing authentication session with sessionID mYTGVOMD_XrF9CcU4coXHFRMdRo.*AAJTSQACMDEAAlNLABxvaUEraEFxV1Mzblk5YiswRmVnc0NUVmxKUTg9AAJTMQAA*
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      getUserDN: uid=user.1,ou=People,dc=idrepo,dc=forgerock,dc=com
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      login success
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      Came to before if Failed loop
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      AMLoginContext.runLogin: calling incSsoServerAuthenticationSuccessCount
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      getUserDN: uid=user.1,ou=People,dc=idrepo,dc=forgerock,dc=com
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      getUserDN: uid=user.1,ou=People,dc=idrepo,dc=forgerock,dc=com
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      finished...login notify all threads
      AMLoginContext:LoginStatus: 3
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      postProcessOnSuccess
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      Service Attributes are . :{iplanet-am-auth-login-failure-url=[], iplanet-am-auth-post-login-process-class=[com.forgerock.openam.examples.SamplePAP], iplanet-am-auth-configuration=[<AttributeValuePair><Value>LDAP REQUIRED </Value></AttributeValuePair>], iplanet-am-auth-login-success-url=[]}
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      postLoginClassName: [com.forgerock.openam.examples.SamplePAP]
      amAuth:02/09/2018 11:43:10:783 AM CET: Thread[http-nio-8080-exec-2,5,main]: TransactionId[8eee472b-2235-43ab-8ec0-17de0fc5fdb5-5041]
      postLoginClassSet = [com.forgerock.openam.examples.SamplePAP]

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              yaodong.hu Yaodong Hu [X] (Inactive)
              Reporter:
              bradley.tarisznyas Brad Tarisznyas
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: