Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9365

Social authentication + Stateless fails if stateless token is too big


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 13.0.0
    • Fix Version/s: None
    • Component/s: authentication, stateless
    • Labels:
    • Support Ticket IDs:


      When using Social Authentication with stateless, part of the flow checks the MaxIdle value to validate the token. However the request uses the tokenId value directly as a parameter in the URL; that hits limits on URL length in the browser and returns a HTTP 400 Bad Request.The token is deemed expired and the end user sees the "Session Expired" page. I expect the REST endpoint should be called in a way where the token is part of the body instead of being a parameter in the URL.

      When turning stateless off, the flow works correctly.

      *Steps to reproduce*

      Those steps can probably be simplified, but giving what I am sure will reproduce the issue. I run my tests in a subrealm, but no reason why it should work any better in the top realm.

      1) Set up openam as OpenID Connect provider (called idp.example.net:28080 in my tests)
      2) Create openid agent profile in idp.example.net
      3) Set up second instance that will act as the client (called sp.example.com:38080 in my tests) with subrealm called testrealm -> this is the instance where the issue is happening
      4) Create Social Authentication module in sp.example.com : Dashboard > Configure Social Authentication > Configure Other Authentication
      5) Set up stateless in sp.example.com: Authentication > Settings > General
      6) Create a user with an artificially long given name; you need to end up with a cookie that is close but under 4k, otherwise you will hit the chrome limit for cookies. I used a given name made of 1030 characters.
      7) Start the flow: http://sp.example.com:38080/openam/XUI/#login/&realm=/testrealm

      Expected behaviour

      User is logged in and its end user page is displayed

      Observed behaviour

      User sees "YOUR SESSION EXPIRED."

      Further details

      When inspecting the flow through chrome developer's tool you will see the line /openam/json/sessions?_action=getMaxIdle&tokenId=AQIC5wM2LY4Sfczqsan33oIgJnp0UdkVPWRn3GjpH0EdIew.*AAJTSQACMDEAAlNLABM0NDYyNDU0MTUzNTAyMTUxNDk0AAJTMQAA*eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTY... in red with a HTTP 400 Bad Request response (on sp.example.com)

      There are no significant messages in the OpenAM debug logs or catalina.out.

      In localhost_access_log.xxxx-xx-xx.txt you will see the POST to the URL above with HTTP 400 and the total size being 4KB. No other signs in logs




            • Assignee:
              peter.major Peter Major
              nathalie.hoet Nathalie Hoet
            • Votes:
              0 Vote for this issue
              5 Start watching this issue


              • Created: