Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8659

JSON REST authenticate endpoint doesn't check validity of sessionUpgradeSSOTokenId before returning authId

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 12.0.2, 13.0.0
    • 12.0.4, 13.5.0
    • rest
    • AM Sustaining Sprint 21, AM Sustaining Sprint 22

    Description

      1. retrieve authId from /authenticate endpoint

      $ curl --request POST --header "Content-Type: application/json"
       https://openam.example.com:8443/openam/json/authenticate
      {
          "authId": "...jwt-value...",
           :
      }
      

      2. fill in JSON form and submit with authId

      $ curl --request POST --header "Content-Type: application/json"
       --data '{ "authId": "...jwt-value...", "template": "", "stage": "DataStore1", "callbacks": [ { "type": "NameCallback", "output": [ { "name": "prompt", "value": " User Name: " } ], "input": [ { "name": "IDToken1", "value": "demo" } ] }, { "type": "PasswordCallback", "output": [ { "name": "prompt", "value": " Password: " } ], "input": [ { "name": "IDToken2", "value": "changeit" } ] } ] }'
       https://openam.example.com:8443/openam/json/authenticate
      { "tokenId": "AQIC5wM2...U3MTE4NA..*", "successUrl": "/openam/console" }
      

      3. logout using token obtained in step 2

      $ curl --request POST --header "iplanetDirectoryPro: AQIC5wM2...U3MTE4NA..*" "https://openam.example.com:8443/openam/json/sessions/?_action=logout"
      {"result":"Successfully logged out"}
      

      4. use the same token to do session upgrade

      $ curl --request POST "https://openam.example.com:8443/openam/json/authenticate??sessionUpgradeSSOTokenId=AQIC5wM2...U3MTE4NA..*
      {"code":400,"reason":"Bad Request","message":"Session Upgrade fails since user is different than original authenticated user"}
      

      It is not user friendly process flow that OpenAM asks for callbacks, validate provided callbacks and then break saying that "Session Upgrade fails since user is different than original authenticated user" producing number of collateral errors in the debug log when trying to log information with invalid token.

      expected output

      An error telling you that the token is invalid. In addition, this check needs to be done earlier in the process, so we don't pollute the debug logs with unnecessary errors.

      Current output

      You get the error "

      {"code":400,"reason":"Bad Request","message":"Session Upgrade fails since user is different than original authenticated user"}

      " which is a consequence of not checking the token earlier. In consequence, you get a few errors related to this, that you shouldn't not have.

      Attachments

        Activity

          People

            quentin.castel Quentin CASTEL [X] (Inactive)
            sachiko Sachiko Wallace
            Filip Kubáň [X] Filip Kubáň [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 7h
                7h
                Remaining:
                Time Spent - 2h Remaining Estimate - 5h
                5h
                Logged:
                Time Spent - 2h Remaining Estimate - 5h
                2h