-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 5.5.1
-
Component/s: None
-
Labels:
-
Environment:This test case reuse the setup script provided in the 5.5.1 TOI but minus the push authentication part. It only uses DataStore in this case.
-
Sprint:AM Sustaining Sprint 57, AM Sustaining Sprint 58, AM Sustaining Sprint 59, AM Sustaining Sprint 60
-
Story Points:5
-
Needs backport:No
-
Support Ticket IDs:
-
Verified Version/s:
-
Needs QA verification:Yes
-
Functional tests:No
-
Are the reproduction steps defined?:Yes and I used the same an in the description
Bug description
User should receive error response when authentication has failed during TransactionConditionAdvice auth to avoid confusion
How to reproduce the issue
- setup an OpenAM 5.5.1
- login to admin console
- click [REALMS] -> [Top Level Realm] -> [Authentication] -> [Chains] -> [+ Add Chain]. Type in the following value and leave the rest as default :
Name: pushService Module: DataStore : REQUISITE
- click [REALMS] -> [Top Level Realm] -> [Authorization] -> [Policy Sets] -> "Default Policy Set" -> [+ Add a Policy]. Type in the following value:
Id: PushServiceTransactionPolicy Resource Types: URL Resources : http://example.com:80/*, http://agent.example.com:48080/* Actions: "POST": allow, "GET": allow Subjects: Authenticated Users Environment: Type=Transaction, Authentication Strategy=Authenticate to Chain, Strategy Specifier=pushService
- authenticate with amadmin & demo and get SSOToken
curl --request POST --header "X-OpenAM-Username: <amadmin/demo>" --header "X-OpenAM-Password: <password>" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/authenticate"
- request policy evaluation
curl -X POST -k --header "iPlanetDirectoryPro: <amadmin token>" --header "Content-Type: application/json" --data '{"resources": ["http://example.com:80/index.html"], "application":"iPlanetAMWebAgentService", "subject": {"ssoToken": "<user token>"}} ' "http://openam.example.com:18080/openam/json/policies?_action=evaluate"
- previous step will return TransactionConditionAdvice with UUID as response. Use this UUID to request /authenticate endpoint with composite_advice auth module
curl -X POST 'http://openam.example.com:18080/openam/json/authenticate?authIndexType=composite_advice&authIndexValue=%3CAdvices%3E%0A%3CAttributeValuePair%3E%0A%3CAttribute%20name%3D%22TransactionConditionAdvice%22%2F%3E%0A%3CValue%3E<transaction UUID>%3C%2FValue%3E%0A%3C%2FAttributeValuePair%3E%0A%3C%2FAdvices%3E' --header 'Content-Type: application/json' --header 'iPlanetDirectoryPro: <user token>' --data '{}'
- fill in the input values but provide wrong user password.
curl -X POST 'http://openam.example.com:18080/openam/json/authenticate?authIndexType=composite_advice&authIndexValue=%3CAdvices%3E%0A%3CAttributeValuePair%3E%0A%3CAttribute%20name%3D%22TransactionConditionAdvice%22%2F%3E%0A%3CValue%3E<transaction UUID>%3C%2FValue%3E%0A%3C%2FAttributeValuePair%3E%0A%3C%2FAdvices%3E' --header 'Content-Type: application/json' --header 'iPlanetDirectoryPro: <user token>' --data '{"authId":"<authId>","template":"","stage":"Datastore1","header":"Sign in","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"User Name:"}],"input":[{"name":"IDToken1","value":"demo"}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Password:"}],"input":[{"name":"IDToken2","value":"changeit123"}]}]}
At this point, user will receive HTTP response code 200 with a clean response message not hinting anything about authentication failure :
{ "tokenId": "<old user token>", "successUrl": "http://example.com:80/index.html", "realm": "/" }
Policy evaluation will return empty result with this transaction UUID when policy evaluation was continued after step up auth has failed, but it is confusing for the user why policy evaluation is not successful.
*NOTE:* This test case uses "DataStore" as auth module to simplify the scenario, but that shouldn't stop this bug from being evaluated as push auth will have the same issue described above.
Expected behaviour
Failed authentication during composite_advice should provide a more meaningful message when the credential was wrong.
Current behaviour
Authentication during composite_advice returns an identical message regardless of the correctness of the credential login.
- is related to
-
OPENAM-14462 Document a new parameter that would return 401 instead of 200 when TransactionConditionAdvice fails with a wrong credential
-
- Resolved
-
-
OPENAM-12663 RFE for a non-push Authz use case using TransactionConditionAdvice
-
- Open
-