Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12627

initiating TransactionConditionAdvice with a wrong credential resulting in a non-error response

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1
    • Fix Version/s: 6.5.1, 7.0.0, 5.5.2
    • Component/s: None
    • Labels:
    • Environment:
      This test case reuse the setup script provided in the 5.5.1 TOI but minus the push authentication part. It only uses DataStore in this case.
    • Sprint:
      AM Sustaining Sprint 57, AM Sustaining Sprint 58, AM Sustaining Sprint 59, AM Sustaining Sprint 60
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      User should receive error response when authentication has failed during TransactionConditionAdvice auth to avoid confusion

      How to reproduce the issue

      1. setup an OpenAM 5.5.1
      2. login to admin console
      3. click [REALMS] -> [Top Level Realm] -> [Authentication] -> [Chains] -> [+ Add Chain]. Type in the following value and leave the rest as default :
            Name: pushService 
            Module: DataStore : REQUISITE
           
      4. click [REALMS] -> [Top Level Realm] -> [Authorization] -> [Policy Sets] -> "Default Policy Set" -> [+ Add a Policy]. Type in the following value:
            Id: PushServiceTransactionPolicy 
            Resource Types: URL
            Resources : http://example.com:80/*, http://agent.example.com:48080/*
            Actions: "POST": allow, "GET": allow
            Subjects: Authenticated Users
            Environment: Type=Transaction, Authentication Strategy=Authenticate to Chain, Strategy Specifier=pushService
           
      5. authenticate with amadmin & demo and get SSOToken
        curl --request POST --header "X-OpenAM-Username: <amadmin/demo>" --header "X-OpenAM-Password: <password>"  --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}"  "http://openam.example.com:18080/openam/json/realms/root/authenticate"
      6. request policy evaluation
        curl -X POST -k --header "iPlanetDirectoryPro: <amadmin token>" --header "Content-Type: application/json" --data '{"resources": ["http://example.com:80/index.html"], "application":"iPlanetAMWebAgentService", "subject": {"ssoToken": "<user token>"}} ' "http://openam.example.com:18080/openam/json/policies?_action=evaluate"
      7. previous step will return TransactionConditionAdvice with UUID as response. Use this UUID to request /authenticate endpoint with composite_advice auth module
        curl -X POST 'http://openam.example.com:18080/openam/json/authenticate?authIndexType=composite_advice&authIndexValue=%3CAdvices%3E%0A%3CAttributeValuePair%3E%0A%3CAttribute%20name%3D%22TransactionConditionAdvice%22%2F%3E%0A%3CValue%3E<transaction UUID>%3C%2FValue%3E%0A%3C%2FAttributeValuePair%3E%0A%3C%2FAdvices%3E' --header 'Content-Type: application/json' --header 'iPlanetDirectoryPro: <user token>' --data '{}'
            
      8. fill in the input values but provide wrong user password.
         curl -X POST 'http://openam.example.com:18080/openam/json/authenticate?authIndexType=composite_advice&authIndexValue=%3CAdvices%3E%0A%3CAttributeValuePair%3E%0A%3CAttribute%20name%3D%22TransactionConditionAdvice%22%2F%3E%0A%3CValue%3E<transaction UUID>%3C%2FValue%3E%0A%3C%2FAttributeValuePair%3E%0A%3C%2FAdvices%3E' --header 'Content-Type: application/json' --header 'iPlanetDirectoryPro: <user token>' --data '{"authId":"<authId>","template":"","stage":"Datastore1","header":"Sign in","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"User Name:"}],"input":[{"name":"IDToken1","value":"demo"}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Password:"}],"input":[{"name":"IDToken2","value":"changeit123"}]}]}

      At this point, user will receive HTTP response code 200 with a clean response message not hinting anything about authentication failure :

      {
          "tokenId": "<old user token>",
          "successUrl": "http://example.com:80/index.html",
          "realm": "/"
      }
      

      Policy evaluation will return empty result with this transaction UUID when policy evaluation was continued after step up auth has failed, but it is confusing for the user why policy evaluation is not successful.

      *NOTE:* This test case uses "DataStore" as auth module to simplify the scenario, but that shouldn't stop this bug from being evaluated as push auth will have the same issue described above.

      Expected behaviour
      Failed authentication during composite_advice should provide a more meaningful message when the credential was wrong. 
      
      Current behaviour
      Authentication during composite_advice returns an identical message regardless of the correctness of the credential login. 
      

       

        Attachments

        1. How-To-Use-Scripts.pdf
          106 kB
        2. run-setup.sh
          11 kB
        3. setup-openam.sh
          11 kB
        4. setup-openam65.sh
          12 kB

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                sam.phua Sam Phua
              • Votes:
                0 Vote for this issue
                Watchers:
                15 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: