The default implementation of the AccountProvider interface, org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider ignores user store lookup errors completely in its searchUser method implementation. This can lead to odd cases where an unindexed search for example (OPENAM-18070) doesn't terminate the processing, and users are going to be asked to provision their accounts newly, as if they haven't been provisioned already. In turn this results in duplicate accounts in DS and plenty of annoyance for end-users.
Note that as far as I can tell this default implementation isn't just used by the old social authentication modules, but also by some of the newer authentication nodes as well.
See reproduction steps of OPENAM-18070.
- Set up Google authentication by going through the good old JATO social auth wizard steps
- Ensure that accounts are dynamically provisioned by social authentication
- Attempt to log in with Google and provision the user.
- Attempt to log in a second time, but this time try to trigger an error during the lookup (for example by adding plenty of new entries that have the iplanet-am-user-alias-list attributes)
A search lookup error won't force users to re-provision themselves.
Users are asked to provision their account on each login.