Currently if multiple realms use the same registered device to log in then on the realm in which the registration did not occur the authentication will fail. This is due to the device using the authentication endpoint communicated during registration which will not get updated.
Instead, the authentication location should be transmitted with each authentication push message (and the auth address removed from the registration QR code). This would allow for multiple realm's endpoints to utilise the same user profile attribute successfully.
Steps to reproduce:
- Administrator creates an instance of the ForgeRock Authenticator (Push) module in the top-level realm, as well as a ForgeRock Authenticator (Push) Registration module in the top-level realm,
- Administrator creates a subrealm, called test,
- Administrator creates an instance of the Push Notification Service on the root-level realm, and also on the test subrealm,
- Administrator configures a registration chain on the top-level domain, including a DataStore module passing to the ForgeRock Authenticator (Push) Registration module,
- Administrator configures an authentication chain on both the top-level domain and the test domain. The authentication chain simply consists of the ForgeRock Authenticator (Push) module.
- User registers their device via the top-level realm registration chain.
- User then logs out, and logs in via the top-level realm authentication chain.
- User then logs out, and logs in via the test realm authentication chain.