When using Social Authentication with stateless, part of the flow checks the MaxIdle value to validate the token. However the request uses the tokenId value directly as a parameter in the URL; that hits limits on URL length in the browser and returns a HTTP 400 Bad Request.The token is deemed expired and the end user sees the "Session Expired" page. I expect the REST endpoint should be called in a way where the token is part of the body instead of being a parameter in the URL.
When turning stateless off, the flow works correctly.
*Steps to reproduce*
Those steps can probably be simplified, but giving what I am sure will reproduce the issue. I run my tests in a subrealm, but no reason why it should work any better in the top realm.
1) Set up openam as OpenID Connect provider (called idp.example.net:28080 in my tests)
2) Create openid agent profile in idp.example.net
3) Set up second instance that will act as the client (called sp.example.com:38080 in my tests) with subrealm called testrealm -> this is the instance where the issue is happening
4) Create Social Authentication module in sp.example.com : Dashboard > Configure Social Authentication > Configure Other Authentication
5) Set up stateless in sp.example.com: Authentication > Settings > General
6) Create a user with an artificially long given name; you need to end up with a cookie that is close but under 4k, otherwise you will hit the chrome limit for cookies. I used a given name made of 1030 characters.
7) Start the flow: http://sp.example.com:38080/openam/XUI/#login/&realm=/testrealm
User is logged in and its end user page is displayed
User sees "YOUR SESSION EXPIRED."
When inspecting the flow through chrome developer's tool you will see the line /openam/json/sessions?_action=getMaxIdle&tokenId=AQIC5wM2LY4Sfczqsan33oIgJnp0UdkVPWRn3GjpH0EdIew.*AAJTSQACMDEAAlNLABM0NDYyNDU0MTUzNTAyMTUxNDk0AAJTMQAA*eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTY... in red with a HTTP 400 Bad Request response (on sp.example.com)
There are no significant messages in the OpenAM debug logs or catalina.out.
In localhost_access_log.xxxx-xx-xx.txt you will see the POST to the URL above with HTTP 400 and the total size being 4KB. No other signs in logs