Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18252

Fix to OPENAM-16522 (tracking universalId in TreeContext) breaks important use cases

    XMLWordPrintable

Details

    • Bug
    • Status: In Progress
    • Blocker
    • Resolution: Unresolved
    • 7.1.0
    • None
    • authentication, trees
    • Rank:
      1|i05ln2:

    Description

      Bug description

      OPENAM-16522 addressed a number of important issues but its implementation also broke a number important use cases the field is often asked to implement/show.

      It used to be that nodes identified the main subject of their activity by resolving the identity from the value of sharedState.get("username"). This allowed a tree to operate on any number of identities during execution. E.g. it was possible to first validate the identify of a helpdesk user (collect username and password, then datastore decision to validate credentials) and then change context to a different user by either collecting another username (use case here could be impersonation) or manipulate shared state directly and then request a 2nd factor from the user to be impersonated (popular demo request is a push to the impersonatee before allowing the impersonator to proceed).

      Nothing in the concept of the use of a universalId should impact those use cases, but the current implementation of the fix for OPENAM-16522 only sets the universalId ONCE and never updates it. So which ever username is collected first determines who the subject of the tree is.

      That is a big limitation and constrains the usefulness of trees for use cases other than straight authentication, like:

      • Impersonation
      • Peer authentication
      • Any non-authentication flows that act on more than one subject

      How to reproduce the issue

      Expected behaviour
      The second user gets the push.
      
      Current behaviour
      Login failure. The push got to the first user
      

      Work around

      None.

      Code analysis

      It appears that the issue was introduced by this commit:

      https://stash.forgerock.org/projects/OPENAM/repos/openam/commits/cdf2048bbab3eeaf715fb741ced87e85f30ed719#openam-auth-trees/auth-trees-engine/src/main/java/org/forgerock/openam/auth/trees/engine/AuthTreeExecutor.java

       

      Attachments

        Issue Links

          Activity

            People

              gabor.melkvi Gabor Melkvi
              volker.scheuber Volker Scheuber
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated: