Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16519

access_token call in OIDC flow cause search against Identity Store when Account Lockout is turned on and set to Store Invalid Attempts in Data Store

    XMLWordPrintable

    Details

    • Rank:
      1|i01m0v:
    • AM Sustaining Sprint 77
    • 3
    • Yes
    • Yes
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      When Account Lockout is turned on and set to Store Invalid Attempts in Data Store, the OIDC's agent's user is searched for in the DataStore.

      How to reproduce the issue

      1. Use Dashboard to create OAuth2Provider for OIDC Service -( AM -> Realm --> Dashboard --> Create OAuth2 Provider --> Configure OpenID Connect)
      2. Create OIDC Agent - ( AM --> Realm --> Application --> OAuth2 --> Add Client --> client name openidm password: cangetin Scope: openid profile DefaultScope: openidRedirection URIs: (use AM's Tomcat URL withOUT /openam  such as http://am.internal.forgerock.com:8080/openam

      3. Turn on Account Lockout: AM --> Realm --> Authentication --> Settings --> Account Lockout --> select Login Failure Lockout Mode & select Store Invalid Attempts in Data Store and save. 
      4.  Ensure that Profiles are set to Required. 
      5. tail Authentication IdRepo 
      6. make this curl call, does not matter if the token is valid or not, it will fire off a search against the IdRepo: curl --location --request POST 'http://am.internal.forgerock.com:8080/openam/oauth2/realms/root/realms/prod/access_token' --header 'Authorization: Basic b3BlbmlkbTpjYW5nZXRpbg==' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=authorization_code' --data-urlencode 'code=h2BB98brthicR5jJAVq8vvVBR88' --data-urlencode 'redirect_uri=http://am.internal.forgerock.com:8080'
      7. you will see IdType: user for the openidm agent profile search.

       

      What is seen in the logs, is that even though it knows it's an Application:

      amAuthConfig:07/22/2020 01:11:34:648 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      moduleName : Application
      

       

      it identifies the Agent user as an IdType: user rather then agent

      amAuth:07/22/2020 01:11:34:649 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      SUCCESS Login url : /openam/console
      amAuth:07/22/2020 01:11:34:649 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      getUserDN: id=openidm,ou=agent,o=prod,ou=services,dc=openam,dc=forgerock,dc=org
      amAuth:07/22/2020 01:11:34:649 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      Removing authentication session with sessionID Pjqb-WNpA0LGdGP6a7BBQA6qpVY.*AAJTSQACMDEAAlNLABxsemx5SCtJTnhvbkdydHVZU3BTZjlPVG93cGc9AAR0eXBlAAlJTl9NRU1PUlkAAlMxAAA.*
      amAuth:07/22/2020 01:11:34:650 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      getUserDN: id=openidm,ou=agent,o=prod,ou=services,dc=openam,dc=forgerock,dc=org
      amAuth:07/22/2020 01:11:34:650 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      getUserDN: id=openidm,ou=agent,o=prod,ou=services,dc=openam,dc=forgerock,dc=org
      amAuth:07/22/2020 01:11:34:650 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      getUserUniversalId:universalId : id=openidm,ou=agent,o=prod,ou=services,dc=openam,dc=forgerock,dc=org
      amAuth:07/22/2020 01:11:34:651 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      IdType is :IdType: user
      

      we do see it looking against the Config DJ for the agent profile as we would expect:

      ==> IdRepo <==
      amIdm:07/22/2020 01:11:34:644 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      IdRepoPluginsCache.getIdRepoPlugins for OrgName: o=prod,ou=services,dc=openam,dc=forgerock,dc=org Op: Operation: service Type: IdType: realm
      DJLDAPv3Repo:07/22/2020 01:11:34:644 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      getAssignedServices invoked
      DJLDAPv3Repo:07/22/2020 01:11:34:644 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      Assigned services returned: []
      DJLDAPv3Repo:07/22/2020 01:11:34:644 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      getAssignedServices invoked
      DJLDAPv3Repo:07/22/2020 01:11:34:644 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      Assigned services returned: []
      amIdm:07/22/2020 01:11:34:645 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      IdRepoPluginsCache.getIdRepoPlugins for OrgName: o=prod,ou=services,dc=openam,dc=forgerock,dc=org Op: Operation: read Type: IdType: agent
      amAgentsRepo:07/22/2020 01:11:34:645 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      AgentsRepo.getAttributes() called: IdType: agent: openidm
      amAgentsRepo:07/22/2020 01:11:34:645 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      AgentsRepo.getOrgConfig() called.
      amAgentsRepo:07/22/2020 01:11:34:645 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      AgentsRepo.getAgentAttrs() called: svcConfig=AgentService; agentName=openidm; type=IdType: agent
      amIdm:07/22/2020 01:11:34:651 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      IdRepoPluginsCache.getIdRepoPlugins for OrgName: o=prod,ou=services,dc=openam,dc=forgerock,dc=org Op: Operation: read Type: IdType: agent
      amAgentsRepo:07/22/2020 01:11:34:651 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      AgentsRepo.isExists() called: IdType: agent: openidm
      amAgentsRepo:07/22/2020 01:11:34:651 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      AgentsRepo.getAttributes() called: IdType: agent: openidm
      amAgentsRepo:07/22/2020 01:11:34:651 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      AgentsRepo.getOrgConfig() called.
      amAgentsRepo:07/22/2020 01:11:34:651 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      AgentsRepo.getAgentAttrs() called: svcConfig=AgentService; agentName=openidm; type=IdType: agent
      amIdm:07/22/2020 01:11:34:652 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      IdRepoPluginsCache.getIdRepoPlugins for OrgName: o=prod,ou=services,dc=openam,dc=forgerock,dc=org Op: Operation: read Type: IdType: user
      DJLDAPv3Repo:07/22/2020 01:11:34:652 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      search invoked with type: IdType: user crestQuery: CrestQuery{queryId='openidm', queryFilter=null, fields=null} avPairs: null maxTime: 0 maxResults: 0 returnAttrs: null returnAllAttrs: false filterOp: 0 recursive: true
      

      above shows IdType: agent as we would expect and the suffix's are against the Config DJ (dc=openam,dc=forgerock,dc=org)

       

      but then in continues on searches against the Identity Store:

      ==> IdRepo <==
      amIdm:07/22/2020 01:11:34:670 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      IdUtils.getIdentity: searching user identity with alternative attributes [uid, description]
      amIdm:07/22/2020 01:11:34:670 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      IdRepoPluginsCache.getIdRepoPlugins for OrgName: o=prod,ou=services,dc=openam,dc=forgerock,dc=org Op: Operation: read Type: IdType: user
      DJLDAPv3Repo:07/22/2020 01:11:34:670 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      search invoked with type: IdType: user crestQuery: CrestQuery{queryId='*', queryFilter=null, fields=null} avPairs: {uid=[openidm], description=[openidm]} maxTime: 0 maxResults: 0 returnAttrs: null returnAllAttrs: true filterOp: 0 recursive: false
      DJLDAPv3Repo:07/22/2020 01:11:34:670 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      constructFilter returned filter: (|(uid=openidm)(description=openidm))
      DJLDAPv3Repo:07/22/2020 01:11:34:673 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      search invoked with type: IdType: user crestQuery: CrestQuery{queryId='*', queryFilter=null, fields=null} avPairs: {uid=[openidm], description=[openidm]} maxTime: 0 maxResults: 0 returnAttrs: null returnAllAttrs: true filterOp: 0 recursive: false
      DJLDAPv3Repo:07/22/2020 01:11:34:673 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]
      constructFilter returned filter: (|(uid=openidm)(description=openidm))
      

      and we can look at the Identity Store logs to confirm it:

       

      This my Identity Store   - it is separate from my Config DJ and should not  be getting any searches for openidm user:

      {"eventName":"DJ-LDAP","client":{"ip":"172.24.11.21","port":46016},"server":{"ip":"172.24.11.21","port":1389},"request":{"protocol":"LDAP","operation":"SEARCH","connId":53,"msgId":1014,"dn":"ou=people,dc=example,dc=com","scope":"sub","filter":"(&(uid=openidm)(objectclass=inetorgperson))","attrs":["uid"]},"transactionId":"894cfd9b-6818-4634-a03f-baf4e014b7b0-145392","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","nentries":0},"timestamp":"2020-07-22T00:32:22.256Z","_id":"894cfd9b-6818-4634-a03f-baf4e014b7b0-145394"}
      {"eventName":"DJ-LDAP","client":{"ip":"172.24.11.21","port":46058},"server":{"ip":"172.24.11.21","port":1389},"request":{"protocol":"LDAP","operation":"SEARCH","connId":56,"msgId":204,"dn":"ou=people,dc=example,dc=com","scope":"sub","filter":"(&(uid=openidm)(objectclass=inetorgperson))","attrs":["uid"]},"transactionId":"894cfd9b-6818-4634-a03f-baf4e014b7b0-145395","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","nentries":0},"timestamp":"2020-07-22T00:32:22.258Z","_id":"894cfd9b-6818-4634-a03f-baf4e014b7b0-145397"}
      {"eventName":"DJ-LDAP","client":{"ip":"172.24.11.21","port":46016},"server":{"ip":"172.24.11.21","port":1389},"request":{"protocol":"LDAP","operation":"SEARCH","connId":53,"msgId":1015,"dn":"ou=people,dc=example,dc=com","scope":"sub","filter":"(&(|(uid=openidm)(description=openidm))(&(uid=*)(objectclass=inetorgperson)))","attrs":["sunIdentityServerPPAddressCard","iplanet-am-user-admin-start-dn","sunIdentityServerPPFacadeNamePronounced","sunIdentityServerPPEncryPTKey","push2faEnabled","createTimestamp","iplanet-am-user-federation-info-key","uid","iplanet-am-user-auth-config","sunIdentityServerPPLegalIdentityDOB","sunIdentityServerPPInformalName","sunIdentityServerPPDemographicsTimeZone","iplanet-am-session-max-idle-time","oathDeviceProfiles","sunIdentityServerPPDemographicsLanguage","userCertificate","sunIdentityServerPPLegalIdentityAltIdType","sunIdentityServerPPCommonNameSN","kbaInfo","sunIdentityServerPPFacadegreetmesound","iplanet-am-auth-configuration","iplanet-am-user-account-life","kbaActiveIndex","iplanet-am-session-service-status","sun-fm-saml2-nameid-infokey","iplanet-am-session-max-session-time","sun-fm-saml2-nameid-info","kbaInfoAttempts","sunIdentityServerDiscoEntries","preferredtimezone","sunIdentityServerPPEmploymentIdentityAltO","memberOf","userPassword","pushDeviceProfiles","assignedDashboard","inetUserHttpURL","sunIdentityServerPPCommonNameFN","preferredlanguage","oath2faEnabled","iplanet-am-user-password-reset-options","iplanet-am-session-max-caching-time","dn","webauthnDeviceProfiles","mail","objectClass","sunIdentityServerPPEmploymentIdentityOrg","sunIdentityServerPPFacadeMugShot","sunIdentityServerPPDemographicsDisplayLanguage","modifyTimestamp","sunIdentityServerPPFacadeWebSite","iplanet-am-session-destroy-sessions","sunIdentityServerPPCommonNamePT","inetUserStatus","sunIdentityServerPPLegalIdentityVATIdValue","authorityRevocationList","iplanet-am-session-quota-limit","caCertificate","iplanet-am-user-auth-modules","sn","sunIdentityServerPPCommonNameMN","telephoneNumber","sunIdentityServerPPCommonNameAltCN","sunIdentityServerPPDemographicsBirthDay","manager","sunIdentityServerPPLegalIdentityLegalName","iplanet-am-user-password-reset-force-reset","cn","sunIdentityServerPPFacadeGreetSound","sunIdentityServerPPEmergencyContact","sunIdentityServerPPLegalIdentityMaritalStatus","adminRole","sunAMAuthInvalidAttemptsData","sunIdentityServerPPLegalIdentityGender","sunIdentityServerPPLegalIdentityVATIdType","givenName","iplanet-am-user-success-url","sunIdentityServerPPMsgContact","sunIdentityServerPPSignKey","iplanet-am-session-get-valid-sessions","postalAddress","sunIdentityServerPPEmploymentIdentityJobTitle","devicePrintProfiles","sunIdentityServerPPCommonNameCN","sunIdentityServerPPLegalIdentityAltIdValue","preferredLocale","iplanet-am-user-federation-info","employeeNumber","sunIdentityMSISDNNumber","iplanet-am-user-failure-url","sunIdentityServerPPDemographicsAge","distinguishedName","iplanet-am-user-alias-list","iplanet-am-user-password-reset-question-answer","iplanet-am-user-login-status"]},"transactionId":"894cfd9b-6818-4634-a03f-baf4e014b7b0-145398","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","nentries":0},"timestamp":"2020-07-22T00:32:22.261Z","_id":"894cfd9b-6818-4634-a03f-baf4e014b7b0-145400"}
      {"eventName":"DJ-LDAP","client":{"ip":"172.24.11.21","port":46058},"server":{"ip":"172.24.11.21","port":1389},"request":{"protocol":"LDAP","operation":"SEARCH","connId":56,"msgId":205,"dn":"ou=people,dc=example,dc=com","scope":"sub","filter":"(&(|(uid=openidm)(description=openidm))(&(uid=*)(objectclass=inetorgperson)))","attrs":["sunIdentityServerPPAddressCard","iplanet-am-user-admin-start-dn","sunIdentityServerPPFacadeNamePronounced","sunIdentityServerPPEncryPTKey","push2faEnabled","createTimestamp","iplanet-am-user-federation-info-key","uid","iplanet-am-user-auth-config","sunIdentityServerPPLegalIdentityDOB","sunIdentityServerPPInformalName","sunIdentityServerPPDemographicsTimeZone","iplanet-am-session-max-idle-time","oathDeviceProfiles","sunIdentityServerPPDemographicsLanguage","userCertificate","sunIdentityServerPPLegalIdentityAltIdType","sunIdentityServerPPCommonNameSN","kbaInfo","sunIdentityServerPPFacadegreetmesound","iplanet-am-auth-configuration","iplanet-am-user-account-life","kbaActiveIndex","iplanet-am-session-service-status","sun-fm-saml2-nameid-infokey","iplanet-am-session-max-session-time","sun-fm-saml2-nameid-info","kbaInfoAttempts","sunIdentityServerDiscoEntries","preferredtimezone","sunIdentityServerPPEmploymentIdentityAltO","memberOf","userPassword","pushDeviceProfiles","assignedDashboard","inetUserHttpURL","sunIdentityServerPPCommonNameFN","preferredlanguage","oath2faEnabled","iplanet-am-user-password-reset-options","iplanet-am-session-max-caching-time","dn","webauthnDeviceProfiles","mail","objectClass","sunIdentityServerPPEmploymentIdentityOrg","sunIdentityServerPPFacadeMugShot","sunIdentityServerPPDemographicsDisplayLanguage","modifyTimestamp","sunIdentityServerPPFacadeWebSite","iplanet-am-session-destroy-sessions","sunIdentityServerPPCommonNamePT","inetUserStatus","sunIdentityServerPPLegalIdentityVATIdValue","authorityRevocationList","iplanet-am-session-quota-limit","caCertificate","iplanet-am-user-auth-modules","sn","sunIdentityServerPPCommonNameMN","telephoneNumber","sunIdentityServerPPCommonNameAltCN","sunIdentityServerPPDemographicsBirthDay","manager","sunIdentityServerPPLegalIdentityLegalName","iplanet-am-user-password-reset-force-reset","cn","sunIdentityServerPPFacadeGreetSound","sunIdentityServerPPEmergencyContact","sunIdentityServerPPLegalIdentityMaritalStatus","adminRole","sunAMAuthInvalidAttemptsData","sunIdentityServerPPLegalIdentityGender","sunIdentityServerPPLegalIdentityVATIdType","givenName","iplanet-am-user-success-url","sunIdentityServerPPMsgContact","sunIdentityServerPPSignKey","iplanet-am-session-get-valid-sessions","postalAddress","sunIdentityServerPPEmploymentIdentityJobTitle","devicePrintProfiles","sunIdentityServerPPCommonNameCN","sunIdentityServerPPLegalIdentityAltIdValue","preferredLocale","iplanet-am-user-federation-info","employeeNumber","sunIdentityMSISDNNumber","iplanet-am-user-failure-url","sunIdentityServerPPDemographicsAge","distinguishedName","iplanet-am-user-alias-list","iplanet-am-user-password-reset-question-answer","iplanet-am-user-login-status"]},"transactionId":"894cfd9b-6818-4634-a03f-baf4e014b7b0-145401","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","nentries":0},"timestamp":"2020-07-22T00:32:22.267Z","_id":"894cfd9b-6818-4634-a03f-baf4e014b7b0-145403"}
      

      then it throws a stack trace saying the the Account Lockout could not find user's profile (it isn't in the Identity Store) and goes onto Login success:

      amAuth:07/22/2020 01:11:34:681 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]amAuth:07/22/2020 01:11:34:681 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]Exception in resetPasswordLockoutcom.sun.identity.authentication.service.AuthException: User Requires Profile to Login|login_denied.jsp at com.sun.identity.authentication.service.AuthD.getIdentity(AuthD.java:1241) at com.sun.identity.authentication.service.AMAccountLockout.resetPasswdLockout(AMAccountLockout.java:156) at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:600) at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:588) at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1236) at com.sun.identity.authentication.AuthContext.submitRequirements(AuthContext.java:1222) at org.forgerock.oauth2.core.ClientAuthenticator.authenticate(ClientAuthenticator.java:209) at org.forgerock.oauth2.core.ClientAuthenticator.authenticate(ClientAuthenticator.java:147) at org.forgerock.oauth2.core.ClientAuthenticator.authenticate(ClientAuthenticator.java:102) at org.forgerock.oauth2.core.GrantTypeHandler.handle(GrantTypeHandler.java:73) at org.forgerock.oauth2.core.AccessTokenService.requestAccessToken(AccessTokenService.java:138) at org.forgerock.oauth2.restlet.TokenEndpointResource.token(TokenEndpointResource.java:78) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.restlet.resource.ServerResource.doHandle(ServerResource.java:508) at org.restlet.resource.ServerResource.post(ServerResource.java:1341) at org.restlet.resource.ServerResource.doHandle(ServerResource.java:606) at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:662) at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348) at org.restlet.resource.ServerResource.handle(ServerResource.java:1020) at org.restlet.resource.Finder.handle(Finder.java:236) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:69) at org.restlet.routing.Router.handle(Router.java:641) at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter$Delegate.handle(RealmRoutingFactory.java:279) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter.doHandle(RealmRoutingFactory.java:257) at org.restlet.routing.Router.handle(Router.java:641) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:69) at org.restlet.routing.Router.handle(Router.java:641) at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter$Delegate.handle(RealmRoutingFactory.java:279) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.forgerock.openam.rest.RealmRoutingFactory$RestletRealmRouter.doHandle(RealmRoutingFactory.java:257) at org.restlet.routing.Router.handle(Router.java:641) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:94) at org.restlet.routing.Router.handle(Router.java:641) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:140) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202) at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:77) at org.restlet.Application.handle(Application.java:385) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.restlet.routing.Router.handle(Router.java:641) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.routing.Router.doHandle(Router.java:422) at org.restlet.routing.Router.handle(Router.java:641) at org.restlet.routing.Filter.doHandle(Filter.java:150) at org.restlet.routing.Filter.handle(Filter.java:197) at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:202) at org.restlet.Component.handle(Component.java:408) at org.restlet.Server.handle(Server.java:507) at org.restlet.engine.connector.ServerHelper.handle(ServerHelper.java:63) at org.restlet.engine.adapter.HttpServerHelper.handle(HttpServerHelper.java:143) at org.restlet.ext.servlet.ServerServlet.service(ServerServlet.java:1117) at org.forgerock.openam.rest.RestEndpointServlet$RestletHandler.handle(RestEndpointServlet.java:183) at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179) at org.forgerock.openam.dpro.session.ProofOfPossessionTokenFilter.filter(ProofOfPossessionTokenFilter.java:87) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:86) at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53) at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:264) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.forgerock.openam.rest.RestEndpointServlet$HttpServletWrapper.service(RestEndpointServlet.java:254) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.forgerock.openam.rest.RestEndpointServlet.service(RestEndpointServlet.java:132) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.forgerock.openam.headers.DisableSameSiteCookiesFilter.doFilter(DisableSameSiteCookiesFilter.java:105) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:59) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)amAuth:07/22/2020 01:11:34:682 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[57c55104-c594-464c-a2ba-fc8d2728db61-64582]login success
      

      These searches  for OIDC Agents profile in the Identity Store should not be happening. 

      Expected behaviour
      AM will not search Identity Store for Agent profiles  and not check Account Lockout for Agent identity
      
      Current behaviour
      Agent profile is searched in the Identity Store  and it triggers account lockout -> though fails because no profile is found

      Work around

      Turn off Store Invalid Attempts in Data Store and use AM's memory based account lockout.  This does not trigger searches for OIDC agents user.

      Code analysis

      not done

        Attachments

          Activity

            People

            chee-weng.chea C-Weng C
            david.bate David Bate
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: