Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13670

Selfservice password reset token doesn't work in site due to OPENAM-6426

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 5.5.2
    • Fix Version/s: 6.0.0.5, 6.5.0, 6.0.1, 5.5.2
    • Component/s: self-service
    • Labels:
    • Sprint:
      AM Sustaining Sprint 55
    • Story Points:
      1
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes

      Description

      Bug description

      selfservice snapshot token doesn't work in site again after OPENAM-6426

      How to reproduce the issue

      1. install 2 instances of AM in site with version 6.0.0.3
      2. configure selfservice under root realm
      3. enable "Forgotten Password", but disable "Email Verification"
      4. retrieve first stage of selfservice flow with AM2
        curl -X POST -v \
          'http://openam.example.com:28080/openam/json/realms/root/selfservice/forgottenPassword?_action=submitRequirements' \
          -H 'Cache-Control: no-cache' \
          -H 'Content-Type: application/json' \
          -H 'Accept-API-Version: protocol=1.0,resource=1.0' \
          -H 'Accept: application/json' \
          -d '{"input":{"queryFilter":"uid eq \"testuser001\""}}'
        
      5. reset password with AM1
        curl -X POST -v \
          'http://openam.example.com:18080/openam/json/realms/root/selfservice/forgottenPassword?_action=submitRequirements' \
          -H 'Cache-Control: no-cache' \
          -H 'Content-Type: application/json' \
          -H 'Accept-API-Version: protocol=1.0,resource=1.0' \
          -H 'Accept: application/json' \
          -d '{"token":"eyJ0eXAi...","input":{"password":"cangetin12345"}}'
        

      After the last step, you will see "Invalid Token" exception in CoreSystem:

      org.forgerock.selfservice.core.AnonymousProcessService:10/03/2018 05:59:35:649 AM NZDT: Thread[http-bio-18080-exec-9,5,main]: TransactionId[ddf5fbab-bcb3-46c0-8bf4-96ccd4636fed-5172]
      Resource exception intercepted
      org.forgerock.json.resource.BadRequestException: Invalid token
              at org.forgerock.selfservice.core.AnonymousProcessService.progressProcess(AnonymousProcessService.java:194) <--- THIS LINE NUMBER
              at org.forgerock.selfservice.core.AnonymousProcessService.handleAction(AnonymousProcessService.java:115)
              at org.forgerock.openam.selfservice.SelfServiceRequestHandler.handleAction(SelfServiceRequestHandler.java:145)
              at org.forgerock.json.resource.Router.handleAction(Router.java:250)
              at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:55)
              at org.forgerock.openam.rest.fluent.AuditFilter.filterAction(AuditFilter.java:81)
      
      Expected behaviour
      snapshot token should work across sites
      
      Current behaviour
      invalid token (400) is thrown
      

      Work around

      use sticky session

      Code analysis

      OPENAM-6426 has introduced a new stage config ActivityAuditStageConfig which was hashing enum. These objects will give different hash code on different VM

      org.forgerock.openam.selfservice.stages.audit.ActivityAuditStageConfig.java
          @Override
          public boolean equals(Object o) {
              if (this == o) {
                  return true;
              }
      
              if (!(o instanceof ActivityAuditStageConfig)) {
                  return false;
              }
      
              ActivityAuditStageConfig that = (ActivityAuditStageConfig) o;
              return Objects.equals(getName(), that.getName())
                      && Objects.equals(getProgressStageClassName(), that.getProgressStageClassName())
                      && Objects.equals(realm, that.getRealm())
                      && Objects.equals(eventName, that.getEventName())
                      && Objects.equals(operation, that.getOperation());
          }
      
          @Override
          public int hashCode() {
              return Objects.hash(getName(), getProgressStageClassName(), realm, eventName, operation);
          }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sachiko Sachiko Wallace
                Reporter:
                sachiko Sachiko Wallace
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: