Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8659

JSON REST authenticate endpoint doesn't check validity of sessionUpgradeSSOTokenId before returning authId

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 12.0.2, 13.0.0
    • Fix Version/s: 12.0.4, 13.5.0
    • Component/s: rest
    • Labels:
    • Sprint:
      AM Sustaining Sprint 21, AM Sustaining Sprint 22
    • Support Ticket IDs:

      Description

      1. retrieve authId from /authenticate endpoint

      $ curl --request POST --header "Content-Type: application/json"
       https://openam.example.com:8443/openam/json/authenticate
      {
          "authId": "...jwt-value...",
           :
      }
      

      2. fill in JSON form and submit with authId

      $ curl --request POST --header "Content-Type: application/json"
       --data '{ "authId": "...jwt-value...", "template": "", "stage": "DataStore1", "callbacks": [ { "type": "NameCallback", "output": [ { "name": "prompt", "value": " User Name: " } ], "input": [ { "name": "IDToken1", "value": "demo" } ] }, { "type": "PasswordCallback", "output": [ { "name": "prompt", "value": " Password: " } ], "input": [ { "name": "IDToken2", "value": "changeit" } ] } ] }'
       https://openam.example.com:8443/openam/json/authenticate
      { "tokenId": "AQIC5wM2...U3MTE4NA..*", "successUrl": "/openam/console" }
      

      3. logout using token obtained in step 2

      $ curl --request POST --header "iplanetDirectoryPro: AQIC5wM2...U3MTE4NA..*" "https://openam.example.com:8443/openam/json/sessions/?_action=logout"
      {"result":"Successfully logged out"}
      

      4. use the same token to do session upgrade

      $ curl --request POST "https://openam.example.com:8443/openam/json/authenticate??sessionUpgradeSSOTokenId=AQIC5wM2...U3MTE4NA..*
      {"code":400,"reason":"Bad Request","message":"Session Upgrade fails since user is different than original authenticated user"}
      

      It is not user friendly process flow that OpenAM asks for callbacks, validate provided callbacks and then break saying that "Session Upgrade fails since user is different than original authenticated user" producing number of collateral errors in the debug log when trying to log information with invalid token.

      expected output

      An error telling you that the token is invalid. In addition, this check needs to be done earlier in the process, so we don't pollute the debug logs with unnecessary errors.

      Current output

      You get the error "

      {"code":400,"reason":"Bad Request","message":"Session Upgrade fails since user is different than original authenticated user"}

      " which is a consequence of not checking the token earlier. In consequence, you get a few errors related to this, that you shouldn't not have.

        Attachments

          Activity

            People

            • Assignee:
              quentin.castel Quentin CASTEL [X] (Inactive)
              Reporter:
              sachiko Sachiko Wallace
              QA Assignee:
              Filip Kubáň [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 7h
                7h
                Remaining:
                Time Spent - 2h Remaining Estimate - 5h
                5h
                Logged:
                Time Spent - 2h Remaining Estimate - 5h
                2h