Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14147

arg=newsession in XUI just shows the "Loading..." page

    Details

    • Sprint:
      AM Sustaining Sprint 58, AM Sustaining Sprint 59
    • Story Points:
      2
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When there is a session and then if XUI is logged in as
      http://<am>/openam/XUI/?realm=/test&arg=newsession#login/
      the following does not show any login screen and stuck with a
      blank (or Loading...) page.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Create a test realm
      2. Login to the realm /test as demo user
      3. On another tab access http://<am>/openam/XUI/?realm=/test&arg=newsession#login/

      The purpose of arg=newsession is also to remove say any session upgrade use.
      The XUI seems to clear the session but to logout request is seen where the latter one is seen as DENIED. There is not page rendering to redirect to ask for the login page.

      Expected behaviour
      The URL http://<am>/openam/XUI/?realm=/test&arg=newsession#login/ should destroy the old session and ask to login with a new one (like ForceAuth)
      
      Current behaviour
      When there is a logged in session access http://<am>/openam/XUI/?realm=/test&arg=newsession#login/ the 2nd time does not work and stuck then.Until the next reload of this page.
      

      Work around

      -

      Code analysis

      a) The code when having arg=newsession set this as A REST call to AM
      b) When there is a session (as part of the SSO Cookie), the empty POST
      /json/authenticate?arg=newsession (with the SSO cookie) and returns
      the reflected

      { "tokenId": <id> }

      in the payload
      c) This then XUI do a session logout (which does a REST logout)
      d) However there is no way that it can continue rendering as the payload
      does not have any callback and also the tokenId is clear (but it ends in
      that pay). So there is no way to render a page that is with existing session
      nor a way to render the needed calback this needs.

      PS: It seem /json/authenticate?arg=newsession does not do server side clearing
      of session (this is fine)

      e) It would then seems that XUI should detect arg=newsession, clear the session or retry the authn w/o arg=newsession?

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: