Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12675

One-step authentication in a cluster requires sticky load balancing

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 5.5.1
    • Fix Version/s: None
    • Component/s: authentication, rest, XUI
    • Labels:
      None
    • Support Ticket IDs:

      Description

      Bug description

      Driven by  --OPENAM-8336-- (focused on multi-module log in), I am raising also this use-case as it's affecting one-step authentication, which means that sticky load balancing is a requirement in all cases. This was not the case in OpenAM 13.5. Also the exception is quite confusing.

      How to reproduce the issue

      Default setup with 2 AM servers and one LB (not sticky),  authenticating with DataStore module

      OpenAM 13.5:

      forgerock@sandbox:/opt$ curl -X POST   http://openam.example.com:38080/openam/json/authenticate   -H 'Cache-Control: no-cache'   -H 'Content-Type: application/json'
      
      {"authId":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogIjhuZXM1dXU2bDl1MWU4MTYwZ2xobHJoZDYxIiwgInJlYWxtIjogImRjPW9wZW5hbSxkYz1mb3JnZXJvY2ssZGM9b3JnIiwgInNlc3Npb25JZCI6ICJBUUlDNXdNMkxZNFNmY3lDTTZBR0ZQcnJnTmlnbXBvOXlSVnV4WVBLclNRZ0Jycy4qQUFKVFNRQUNNREVBQWxOTEFCUXROak14TURZMk1qWTNOVFV3TWpZek9UVTNNZ0FDVXpFQUFBLi4qIiB9.q-8OW4_DzGS3Y9EvrDaB-RRZztykUtOh9R-XnJbBtGs","template":"","stage":"DataStore1","header":"Sign in to OpenAM","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"User Name:"}],"input":[{"name":"IDToken1","value":""}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Password:"}],"input":[{"name":"IDToken2","value":""}]}]}
      
      forgerock@sandbox:/opt$ curl -X POST \
      >   http://openam.example.com:48080/openam/json/authenticate \
      >   -H 'Cache-Control: no-cache' \
      >   -H 'Content-Type: application/json' \
      >   -d '{"authId":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogIjhuZXM1dXU2bDl1MWU4MTYwZ2xobHJoZDYxIiwgInJlYWxtIjogImRjPW9wZW5hbSxkYz1mb3JnZXJvY2ssZGM9b3JnIiwgInNlc3Npb25JZCI6ICJBUUlDNXdNMkxZNFNmY3lDTTZBR0ZQcnJnTmlnbXBvOXlSVnV4WVBLclNRZ0Jycy4qQUFKVFNRQUNNREVBQWxOTEFCUXROak14TURZMk1qWTNOVFV3TWpZek9UVTNNZ0FDVXpFQUFBLi4qIiB9.q-8OW4_DzGS3Y9EvrDaB-RRZztykUtOh9R-XnJbBtGs","template":"","stage":"DataStore1","header":"Sign in","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"User Name:"}],"input":[{"name":"IDToken1","value":"demo"}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Password:"}],"input":[{"name":"IDToken2","value":"changeit"}]}]}'
      
      {"tokenId":"AQIC5wM2LY4SfcwxIRGyP4vcIOnifaDKbNH5Nr_GrD-jTTc.*AAJTSQACMDIAAlNLABMxNDQ5NDkwODU4Mjk5MDExMzIwAAJTMQAA*","successUrl":"/openam/console"}

      AM 5.5.1 

      forgerock@sandbox:/opt$ curl -X POST   http://openam.example.com:18080/openam/json/authenticate   -H 'Cache-Control: no-cache'   -H 'Content-Type: application/json'
      
      {"authId":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJvdGsiOiJwanBxY2MxaGRzaDMycm1wOGFkdHZjdTdqMCIsInJlYWxtIjoiZGM9ZXhhbXBsZSxkYz1jb20iLCJzZXNzaW9uSWQiOiJOakNQa3hkdzRjLWZ6ZEV0WWprYkdPV0V3ZFEuKkFBSlRTUUFDTURNQUFsTkxBQnhzV1RKT1kzQlBNbTVIZFRjdk9XZEJTbWhTVUdkVldXdDJOM2M5QUFKVE1RQUNNREUuKiJ9.XaRR_1KPnfHww3vK1Gjz8km4343l1bPwbf1QJGYPHpo","template":"","stage":"DataStore1","header":"Sign in","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"User Name:"}],"input":[{"name":"IDToken1","value":""}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Password:"}],"input":[{"name":"IDToken2","value":""}]}]}
      
      forgerock@sandbox:/opt$ curl -X POST \
      >   http://openam.example.com:28080/openam/json/authenticate \
      >   -H 'Cache-Control: no-cache' \
      >   -H 'Content-Type: application/json' \
      >   -d '{"authId":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJvdGsiOiJwanBxY2MxaGRzaDMycm1wOGFkdHZjdTdqMCIsInJlYWxtIjoiZGM9ZXhhbXBsZSxkYz1jb20iLCJzZXNzaW9uSWQiOiJOakNQa3hkdzRjLWZ6ZEV0WWprYkdPV0V3ZFEuKkFBSlRTUUFDTURNQUFsTkxBQnhzV1RKT1kzQlBNbTVIZFRjdk9XZEJTbWhTVUdkVldXdDJOM2M5QUFKVE1RQUNNREUuKiJ9.XaRR_1KPnfHww3vK1Gjz8km4343l1bPwbf1QJGYPHpo","template":"","stage":"DataStore1","header":"Sign in","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"User Name:"}],"input":[{"name":"IDToken1","value":"demo"}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Password:"}],"input":[{"name":"IDToken2","value":"changeit"}]}]}'
      
      {"code":401,"reason":"Unauthorized","message":"Session has timed out","detail":{"errorCode":"110"}}

      Work around

      sticky load balancing

      Code analysis

      exception is caused by:

      Caused by: com.sun.identity.authentication.service.AuthException: Session has timed out|session_timeout.jsp
              at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:225)

      =

      222 if (StringUtils.isNotEmpty(cookieURL) && (isLocalServer(cookieURL,true))) {
      223 utilDebug.error("AuthUtils:getAuthContext(): " + "Invalid Session Timed out");
      224 clearAllCookies(request, response);
      225 throw new AuthException(AMAuthErrorCode.AUTH_TIMEOUT);
      226 }
       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                anastasios.kampas Tasos Kampas
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: