Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13545

CustomHOTP module is invoked via authorization policy, failed with 403 Forbidden

    Details

    • Rank:
      1|hzwo7b:
    • Sprint:
      AM Sustaining Sprint 55, AM Sustaining Sprint 56
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      CustomHOTP module is invoked via authorization policy, failed with 403 Forbidden

      1. If Adaptive and CustomHOTP module is invoked via an authentication chain, login is successful.
      2. But same Adaptive and CustomHOTP module is invoked via authorization policy, authentication is not successful.
      submit got redirected to 403 forbidden page

      How to reproduce the issue

      Have not been able to reproduce issue at Forgerock
      Stepsprovided by customer:
      1. Enterd AD username and password
      2. Got prompt to select choice to receive code
      3. Got code to my phone and entered code and then Submit.
      4. After submit got redirected to 403 forbidden page as shown below.

      research Notes(from customer):

      1. If Adaptive and CustomHOTP module is invoked via an authentication chain, login is successful.
      2. But same Adaptive and CustomHOTP module is invoked via authorization policy, authentication is not successful. (I showed you guys during webex that how we are invoking CUSTOM HOTP module using the Environment condition feature in authorization policy)

      it doesn’t work with OOTB HOTP either. Like I said the issue is with adding the chain to the auth policy.
      As I mentioned earlier in the ticket when HOTP module is added to the auth policy I see below errors in the debug logs. Could you look into these errors?
      WARNING: UserSelfCheckCondition.getConditionDecision Invalid attribute set in env params
      amPolicy:07/23/2018 01:09:17:049 PM EDT: Thread[default task-36,5,main]: TransactionId[3c3c1d5e-ffdc-42f7-90f4-2c2415d79d9b-566647]
      UserSelfCheckCondition.getConditionDecision: attributes check:false
      Entitlement:07/23/2018 01:09:17:049 PM EDT: Thread[default task-36,5,main]: TransactionId[3c3c1d5e-ffdc-42f7-90f4-2c2415d79d9b-566647]
      CachingEntitlementCondition.evaluate() caching condition decision "false" for condition: com.sun.identity.entitlement.opensso.PolicyCondition{
      "className": "com.sun.identity.policy.plugins.UserSelfCheckCondition",
      "name": "condition",
      "properties": {"attributes": ["oath2faEnabled"]}
      }

      Expected behaviour
      the agent flow will be successful and this was working, but failed after upgrade to 5.5.1
      Current behaviour
      The flow breaks down with 403 forbidden

       

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              yaodong.hu Yaodong Hu [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: