Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18181

Incorrect error message "Your account has been locked" displayed when account is not locked

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.5.3
    • None
    • authentication
    • 6.5.3
    • Rank:
      1|i05fdy:

      Description

      Bug description

      Incorrect error message "Your account has been locked" is displayed when the user account is not locked and when trying to authenticate with an empty password  via the following tree (see attachment)

      How to reproduce the issue

      1. Enable global account lockout settings.
        2. Try to log in with incorrect password for the user you will get "Authentication Failed" error message
        3. Disable global account lockout settings
        4. Try to log in with empty password ( --header "X-OpenAM-Password;") you get "Your account is locked out"
      Expected behaviour
      curl --location --request POST "http://openam653.example.com:8080/openam/json/realms/root/authenticate?authIndexType=service&authIndexValue=MG-Test" --header "Content-Type: application/json" --header "X-OpenAM-Username: murrayq" --header "X-OpenAM-Password;" --header "Accept-API-Version: resource=2.0, protocol=1.0" |jq .
      % Total % Received % Xferd Average Speed Time Time Time Current
      Dload Upload Total Spent Left Speed
      100 100 100 100 0 0 2706 0 --:--:-- --:--:-- --:--:-- 2777
      {
      "code": 401,
      "reason": "Unauthorized",
      "message": "Authentication Failed",
      "detail": {
      "failureUrl": "Bad"
      }
      }
      
      Current behaviour
      # curl --location --request POST "http://openam653.example.com:8080/openam/json/realms/root/authenticate?authIndexType=service&authIndexValue=MG-Test" --header "Content-Type: application/json" --header "X-OpenAM-Username: murrayq" --header "X-OpenAM-Password;" --header "Accept-API-Version: resource=2.0, protocol=1.0" |jq .
       % Total % Received % Xferd Average Speed  Time Time  Time Current
       Dload Upload  Total  Spent Left Speed
      100  111 100  111 0  0  7527 0 --:--:-- --:--:-- --:--:-- 7928
      {
       "code": 401,
       "reason": "Unauthorized",
       "message": "Your account has been locked.",
       "detail": {
       "failureUrl": "Locked"
       }
      }
      

      5. User account is not locked out (and has never been locked physically or in-memory) because just seconds later I can log in with correct password successfully:

      # curl --location --request POST "http://openam653.example.com:8080/openam/json/realms/root/authenticate?authIndexType=service&authIndexValue=MG-Test" --header "Content-Type: application/json" --header "X-OpenAM-Username: murrayq" --header "X-OpenAM-Password: changeit" --header "Accept-API-Version: resource=2.0, protocol=1.0" |jq .
       % Total % Received % Xferd Average Speed  Time Time  Time Current
       Dload Upload  Total  Spent Left Speed
      100  167 100  167 0  0  9156 0 --:--:-- --:--:-- --:--:-- 9277
      {
       "tokenId": "GOlNlMVEcvAgh-EbOvBBJ5EfyvY.*AAJTSQACMDEAAlNLABxTclBFUWdOV2h5S09NSnAzN2U0RUcxSFhzaUk9AAR0eXBlAANDVFMAAlMxAAA.*",
       "successUrl": "/openam/console",
       "realm": "/"
      }
      

       

      6. Tried logging in with incorrect password, and I get the correct error message "Authentication Failed"

      curl --location --request POST "http://openam653.example.com:8080/openam/json/realms/root/authenticate?authIndexType=service&authIndexValue=MG-Test" --header "Content-Type: application/json" --header "X-OpenAM-Username: murrayq" --header "X-OpenAM-Password: wrongpassword" --header "Accept-API-Version: resource=2.0, protocol=1.0" |jq . % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 100 100 100 0 0 2706 0 --:--:-- --:--:-- --:--:-- 2777 { "code": 401, "reason": "Unauthorized", "message": "Authentication Failed", "detail": { "failureUrl": "Bad" } }

       

      7. All newly created users will also display this error

      Work around

      Not sure if this is a workaround, but after removing Zero Page Login Collector  from the tree I can see correct message "Authentication Failed" displayed. (added UN/PW collector)

      Code analysis

      OPTIONAL - If you already investigated the code, please share your finding here (remove this text)

      org.forgerock.$className.java
      ...
      

        Attachments

          Activity

            People

            Unassigned Unassigned
            olga.romero Olga Romero
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: