Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15193

moduleMessageEnabledInPasswordGrant is providing a different authentication error since AM 6.5.1

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.1, 6.5.2
    • Fix Version/s: 6.5.2.3, 7.0.0, 6.5.3
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 65
    • Story Points:
      2
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Functional tests:
      No

      Description

      Bug description

      Since AM 6.5.1, enabling of moduleMessageEnabledInPasswordGrant is providing a different authentication error

      How to reproduce the issue

      Setup AM 6.5.2

      Setup

      OAuthProvider  - Enable Auth Module Messages for Password Credentials Grant in the advance tab 

      OAuth Agent  -  myOAuth2Client password: oauth2client

       

      Test case with a wrong password for demo

      --------------------------------------

      openam=http://openam.internal.example.com:8080
      pass=wrongpassword
      curl -s -k --user "myOAuth2Client:oauth2client" --request POST --data "grant_type=password&username=demo&password=$pass&scope=profile+openid" $openam/openam/oauth2/access_token | jq .
      ------------------------------------

       
      AM 6.5.2

      =========
       
      before enable moduleMessageEnabledInPasswordGrant

       
      {
        "error_description": "Resource owner authentication failed",
        "error": "invalid_grant"
      }
      

       

       
      after 

      {
        "error_description": "The provided access grant is invalid, expired, or revoked.",
        "error": "invalid_grant"
      }

       

      The above error message is not in line with the documentation for moduleMessageEnabledInPasswordGrant

      If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. 

       

       

      Comparing with AM 6.5.0.2 or 6.0.0.7
      =========
       
      before enable moduleMessageEnabledInPasswordGrant

      {
        "error_description": "Resource owner authentication failed",
        "error": "invalid_grant"
      }

       
      after

      {
        "error_description": "Authentication Failed",
        "error": "invalid_grant"
      }

       

      If account has been locked , this message should be observed

       

      {
      
         "error_description":"Your account has been locked.",
      
         "error":"invalid_grant"
      
      }
      

       

       

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              adam.heath Adam Heath
              Reporter:
              sam.phua Sam Phua
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: