Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16260

Returned session info does not contain correct properties

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: None
    • Environment:
      OS : Linux
      AM container : Tomcat 9.0.17
      jdk : openjdk 11.0.7
      OpenAM: 7.0.0-SNAPSHOT 7a9b0ccf159
      IGStandalone: 7.0.0-SNAPSHOT a5e834843fa
    • Target Version/s:
    • Rank:
      1|i010yf:

      Description

      Regression on AM-7.0.0-SNAPSHOT
      Git SHA! : OpenAM: 7.0.0-SNAPSHOT 1578692e746 : WORKING OK
      Git SHA! : OpenAM: 7.0.0-SNAPSHOT 7a9b0ccf159 : DOES NOT WORK PROPERLY - object of this issue

       

      Given AM is configured :

      • on a custom realm
      • with an Identity Gateway agent
      • with 2 authentication chains requiring levels
      • a policy with 2 conditions (with a AND)
        When requesting the session info of an authenticated user, that fulfills the required levels (so that the policy should allow him to access the resource), the following payload is returned :

       

      With AM: 7.0.0-SNAPSHOT 7a9b0ccf159 (DOES NOT WORK PROPERLY) - file attached

      {
        "latestAccessTime": "2020-05-20T12:33:12Z",
        "maxIdleExpirationTime": "2020-05-20T13:03:12Z",
        "maxSessionExpirationTime": "2020-05-20T14:33:11Z",
        "properties": {
          "AMCtxId": "b6655be4-a1a5-452c-a263-cc5c47dddc87-5067",
          "AuthLevel": "0",
          "AuthType": "DataStore",
          "CharSet": "UTF-8",
          "FullLoginURL": "/openam/UI/Login?realm=%2Ffilters_realm",
          "Host": "127.0.0.1",
          "HostName": "127.0.0.1",
          "Locale": "en_US",
          "Organization": "o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org",
          "Principal": "id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org",
          "Principals": "demo",
          "Service": "ldapService",
          "UserId": "demo",
          "UserProfile": "Required",
          "UserToken": "demo",
          "amlbcookie": "01",
          "authInstant": "2020-05-20T12:33:11Z",
          "clientType": "genericHTML",
          "loginURL": "/openam/UI/Login",
          "successURL": "/openam/console",
          "sun.am.UniversalIdentifier": "id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org"
        },
        "realm": "/filters_realm",
        "universalId": "id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org",
        "username": "demo"
      }
      

      With AM: 7.0.0-SNAPSHOT 1578692e746 (WORKING OK) - file attached

      {
        "latestAccessTime": "2020-05-20T12:52:50Z",
        "maxIdleExpirationTime": "2020-05-20T13:22:50Z",
        "maxSessionExpirationTime": "2020-05-20T14:52:49Z",
        "properties": {
          "AMCtxId": "7d979b40-08a6-4694-b452-5ba024e6be97-5302",
          "AuthLevel": "3",
          "AuthType": "/filters_realm:VerificationCodeLevel_3|/filters_realm:VerificationCodeLevel_1|DataStore",
          "CharSet": "UTF-8",
          "FullLoginURL": "/openam/UI/Login?authIndexType=composite_advice&realm=%2Ffilters_realm&authIndexValue=%3CAdvices%3E%3CAttributeValuePair%3E%3CAttribute+name%3D%22AuthenticateToServiceConditionAdvice%22%2F%3E%3CValue%3E%2Ffilters_realm%3AVerificationCodeLevel_3%3C%2FValue%3E%3C%2FAttributeValuePair%3E%3C%2FAdvices%3E&sunamcompositeadvice=%3CAdvices%3E%3CAttributeValuePair%3E%3CAttribute+name%3D%22AuthenticateToServiceConditionAdvice%22%2F%3E%3CValue%3E%2Ffilters_realm%3AVerificationCodeLevel_3%3C%2FValue%3E%3C%2FAttributeValuePair%3E%3C%2FAdvices%3E&goto=http%3A%2F%2Fopenig.example.com%3A8083%2Fhome%2Fpef_authentication_multiple_conditions",
          "Host": "127.0.0.1",
          "HostName": "127.0.0.1",
          "IndexType": "service",
          "Locale": "en_US",
          "Organization": "o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org",
          "Principal": "id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org",
          "Principals": "demo",
          "Service": "/filters_realm:VerificationCodeLevel_3|ldapService",
          "UserId": "demo",
          "UserProfile": "Required",
          "UserToken": "demo",
          "amlbcookie": "01",
          "authInstant": "2020-05-20T12:52:50Z",
          "authSelectionChoiceNames": "{\"VerificationCodeLevel_1\":\"VerificationCodeLevel_1\",\"VerificationCodeLevel_3\":\"VerificationCodeLevel_3\"}",
          "authSelectionChoices": "[\"VerificationCodeLevel_1\",\"VerificationCodeLevel_3\"]",
          "clientType": "genericHTML",
          "loginURL": "/openam/UI/Login",
          "moduleAuthTime": "VerificationCodeLevel_1+2020-05-20T12:52:50Z|DataStore+2020-05-20T12:52:50Z|VerificationCodeLevel_3+2020-05-20T12:52:50Z",
          "successURL": "/openam/console",
          "sun.am.UniversalIdentifier": "id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org"
        },
        "realm": "/filters_realm",
        "universalId": "id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org",
        "username": "demo"
      }
      

       

      Current behaviour : the scenario user cannot access the resource.
      Expected behaviour : because the user owns the required authentication levels, he should be able to access the resource.

       

      Some more info :

      IG <-> AM exchanges with AM: 7.0.0-SNAPSHOT 7a9b0ccf159 (DOES NOT WORK PROPERLY) - file attached

      --- (request) id:4b0956ed-0176-40a0-8fe0-b04b1eb70f47-46 --->
      
      POST http://openam.example.com:8084/openam/json/realms/root/sessions?_action=getSessionInfo HTTP/1.1
      Accept-API-Version: protocol=2.1,resource=4.0
      Content-Length: 124
      Content-Type: application/json; charset=UTF-8
      filters_cookie: VpqIf5FcqWD79-3yOU1lKmRDNlQ.*AAJTSQACMDEAAlNLABx5dExuZzd1dENGdU1XYmcxNXVqUTVoOUk1am89AAR0eXBlAANDVFMAAlMxAAA.*
      
      {"tokenId":"5evvaBmEI5qKpOuDKYa-uihiF0Q.*AAJTSQACMDEAAlNLABxoYmt6VTNOOWR5MmlwMzJVUnF0eW1SSGJtT2s9AAR0eXBlAANDVFMAAlMxAAA.*"}
      Context's content as JSON:
      attributes:
      
      
      2020-05-20T12:33:12,061Z | INFO  | vert.x-eventloop-thread-29 | o.f.o.d.c.C.M.{Delegate}/heap/0/config/amHandler | @pef_authentication |
      
      <--- (response) id:4b0956ed-0176-40a0-8fe0-b04b1eb70f47-46 ---
      
      HTTP/1.1 200 OK
      Cache-Control: private
      Cache-Control: no-cache, no-store, must-revalidate
      Content-API-Version: resource=4.0
      Content-Length: 1030
      Content-Type: application/json; charset=UTF-8
      Date: Wed, 20 May 2020 12:33:12 GMT
      Expires: 0
      Pragma: no-cache
      X-Content-Type-Options: nosniff
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      
      {"username":"demo","universalId":"id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org","realm":"/filters_realm","latestAccessTime":"2020-05-20T12:33:12Z","maxIdleExpirationTime":"2020-05-20T13:03:12Z","maxSessionExpirationTime":"2020-05-20T14:33:11Z","properties":{"Locale":"en_US","authInstant":"2020-05-20T12:33:11Z","Organization":"o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org","UserProfile":"Required","Principals":"demo","successURL":"/openam/console","CharSet":"UTF-8","Service":"ldapService","Host":"127.0.0.1","FullLoginURL":"/openam/UI/Login?realm=%2Ffilters_realm","AuthLevel":"0","clientType":"genericHTML","AMCtxId":"b6655be4-a1a5-452c-a263-cc5c47dddc87-5067","loginURL":"/openam/UI/Login","UserId":"demo","AuthType":"DataStore","sun.am.UniversalIdentifier":"id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org","HostName":"127.0.0.1","amlbcookie":"01","Principal":"id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org","UserToken":"demo"}}
      Context's content :
      attributes:
      

      IG <-> AM exchanges with AM: 7.0.0-SNAPSHOT 1578692e746 (WORKING OK) - file attached

      --- (request) id:ebed06d5-d254-4e71-be0e-689a5611f61c-46 --->
      
      POST http://openam.example.com:8084/openam/json/realms/root/sessions?_action=getSessionInfo HTTP/1.1
      Accept-API-Version: protocol=2.1,resource=4.0
      Content-Length: 124
      Content-Type: application/json; charset=UTF-8
      filters_cookie: LUOpZV7rmJWGv_Vaew0w7_aUbMs.*AAJTSQACMDEAAlNLABxCcTFlTHk5Q3VTdGNBbkF1OFR4eHBZNG4wWEk9AAR0eXBlAANDVFMAAlMxAAA.*
      
      {"tokenId":"nHev0quIewG4X6Aws4YnOF3Pdn0.*AAJTSQACMDEAAlNLABwvRlJ4eGcvNDY0YjJaa2t0cHIvY2hvYzhUQXM9AAR0eXBlAANDVFMAAlMxAAA.*"}
      Context's content as JSON:
      attributes:
      
      
      2020-05-20T12:52:51,001Z | INFO  | vert.x-eventloop-thread-29 | o.f.o.d.c.C.M.{Delegate}/heap/0/config/amHandler | @pef_authentication |
      
      <--- (response) id:ebed06d5-d254-4e71-be0e-689a5611f61c-46 ---
      
      HTTP/1.1 200 OK
      Cache-Control: private
      Cache-Control: no-cache, no-store, must-revalidate
      Content-API-Version: resource=4.0
      Content-Length: 2126
      Content-Type: application/json; charset=UTF-8
      Date: Wed, 20 May 2020 12:52:50 GMT
      Expires: 0
      Pragma: no-cache
      X-Content-Type-Options: nosniff
      X-Content-Type-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      
      {"username":"demo","universalId":"id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org","realm":"/filters_realm","latestAccessTime":"2020-05-20T12:52:50Z","maxIdleExpirationTime":"2020-05-20T13:22:50Z","maxSessionExpirationTime":"2020-05-20T14:52:49Z","properties":{"Locale":"en_US","authInstant":"2020-05-20T12:52:50Z","Organization":"o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org","UserProfile":"Required","Principals":"demo","authSelectionChoiceNames":"{\"VerificationCodeLevel_1\":\"VerificationCodeLevel_1\",\"VerificationCodeLevel_3\":\"VerificationCodeLevel_3\"}","CharSet":"UTF-8","FullLoginURL":"/openam/UI/Login?authIndexType=composite_advice&realm=%2Ffilters_realm&authIndexValue=%3CAdvices%3E%3CAttributeValuePair%3E%3CAttribute+name%3D%22AuthenticateToServiceConditionAdvice%22%2F%3E%3CValue%3E%2Ffilters_realm%3AVerificationCodeLevel_3%3C%2FValue%3E%3C%2FAttributeValuePair%3E%3C%2FAdvices%3E&sunamcompositeadvice=%3CAdvices%3E%3CAttributeValuePair%3E%3CAttribute+name%3D%22AuthenticateToServiceConditionAdvice%22%2F%3E%3CValue%3E%2Ffilters_realm%3AVerificationCodeLevel_3%3C%2FValue%3E%3C%2FAttributeValuePair%3E%3C%2FAdvices%3E&goto=http%3A%2F%2Fopenig.example.com%3A8083%2Fhome%2Fpef_authentication_multiple_conditions","clientType":"genericHTML","loginURL":"/openam/UI/Login","AMCtxId":"7d979b40-08a6-4694-b452-5ba024e6be97-5302","AuthType":"/filters_realm:VerificationCodeLevel_3|/filters_realm:VerificationCodeLevel_1|DataStore","IndexType":"service","authSelectionChoices":"[\"VerificationCodeLevel_1\",\"VerificationCodeLevel_3\"]","amlbcookie":"01","HostName":"127.0.0.1","UserToken":"demo","successURL":"/openam/console","Service":"/filters_realm:VerificationCodeLevel_3|ldapService","Host":"127.0.0.1","AuthLevel":"3","UserId":"demo","moduleAuthTime":"VerificationCodeLevel_1+2020-05-20T12:52:50Z|DataStore+2020-05-20T12:52:50Z|VerificationCodeLevel_3+2020-05-20T12:52:50Z","sun.am.UniversalIdentifier":"id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org","Principal":"id=demo,ou=user,o=filters_realm,ou=services,dc=openam,dc=forgerock,dc=org"}}
      Context's content :
      attributes:
      
      

       

      Steps to reproduce using Pyforge QA info :

      • - git pull PyForge
      • - ./cleanup.py -f
      • - ./configure.py
      • - in config.cfg, update the IG section with WEBCONTAINER_TYPE=standalone
      • - launch the following commands (on Linux/Mac), in the PyForge root directory :
        export PYFORGE_ROOT_DIR=`pwd`; source PyBot/OpenIG/tools/.qa_tools; ppth
      • - launch the tests with the following alias
        rig -s Filters.PolicyEnforcementFilter.ProtectApplication.Advices.SSO.Multiple.AuthenticationMultipleConditions -t When_User_Authenticates_Matching_All_Policy_Condition_Then_Accessing_Resource_Should_Succeed -n
        Servers are then available for checks... (NB : test may have been modified, to expect the current error)
      • - ./cleanup.py -f

        Attachments

          Activity

            People

            • Assignee:
              ravi.geda Ravi Geda
              Reporter:
              jcdevil Jean-Charles Deville
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: