The AuthenticationApproachChecker checks that a provided SSOToken has been authenticated by one of a set of modules/nodes.
This does not handle session upgrade correctly and will fail as upgraded modules will be in realm qualified format (RQF) .
This means that on session upgrade a user will not be allowed to delete the Device.
How to reproduce the issue
- Set up an Oath Chain with DataStore and Oath module (oathchain)
- Login using standard LDAP module
- Do a sessionupgrade using ForceAuth calling the oath chain http://example.com:8080/openam/XUI/?service=oathchain&ForceAuth=true#login
- Navigate to device Dashboard and click the 3 dots. The option to delete the device has disappeared.
In Authentication logs you can see the transformation to RQL, this is used as the AuthType in the session
The getDataFromRealmQualifiedData check should be moduleName not the result of the manager.getAuthInstanceType