Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16838

AuthenticationApproachChecker does not handle session upgrade modules

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.5.2, 7.0.0, 6.5.3
    • 6.5.4, 7.1.0, 7.0.1
    • authentication
    • AM Sustaining Sprint 79, AM Sustaining Sprint 80
    • 3
    • No
    • No
    • No
    • Yes and I used the same an in the description

      Description

      Bug description

      The AuthenticationApproachChecker checks that a provided SSOToken has been authenticated by one of a set of modules/nodes.
      This does not handle session upgrade correctly and will fail as upgraded modules will be in realm qualified format (RQF) .

      This means that on session upgrade a user will not be allowed to delete the Device.
      How to reproduce the issue

      1. Set up an Oath Chain with DataStore and Oath module (oathchain)
      2. Login using standard LDAP module
      3. Do a sessionupgrade using ForceAuth calling the oath chain http://example.com:8080/openam/XUI/?service=oathchain&ForceAuth=true#login
      1. Navigate to device Dashboard and click the 3 dots. The option to delete the device has disappeared.
      Expected behaviour
      Log in using 2FA and be able to see option  delete device 
      Current behaviour
      No option present to delete device

      Code analysis

      In Authentication logs you can see the transformation to RQL, this is used as the AuthType in the session

      getRealmQualifiedList:list : DataStore|froath2
      amAuthUtils:09/23/2020 02:07:18:116 PM BST: Thread[http-nio-9080-exec-8,5,main]: TransactionId[1b08306d-f246-4866-9e8a-b883d1ffa767-391703]
      RealmQualifiedList is : /extranet:DataStore|/extranet:froath2

       

      The getDataFromRealmQualifiedData check should be moduleName not the result of the manager.getAuthInstanceType

      org.forgerock.openam.core.rest.devices.filters.AuthenticationApproachChecker#testAuthenticationModules
      for (String moduleName : moduleNames) {
          if (authMethods.contains(
                  AMAuthUtils.getDataFromRealmQualifiedData(manager.getAuthInstanceType(moduleName)))) {
              return true;
          }
      }
      

        Attachments

          Issue Links

            Activity

              People

              jonthomas Jonathan Thomas
              jonthomas Jonathan Thomas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: