Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-13737

Self-service registration fails in multi-node cluster scenario when configured for full-stack



    • Target Version/s:
    • Verified Version/s:
    • Support Ticket IDs:



      When a two node clustered IDM is configured for integration with AM (using the full-stack sample) and self-registration with email verification is enabled in IDM, then if the link in the verification email returns to a different node from the one the token originated from then an exception occurs and the user is not registered.


      Note: OPENIDM-12865 for multi-node JWT token (backport as OPENIDM-12935) is present in IDM as is the multi-node local uuid option via OPENIDM-12796 (backport as OPENIDM-12812).


      To reproduce

      1). Install a two node IDM cluster and enable self-registration with email verification (use the default JWT option here for the email token).

      2). Verify that user registration works as expected from both nodes.  Also verify by manipulating the URL in the email that the token can be sent to either node (the originating node or the non-originating node) and the user will be created as expected.

      3). Configure both nodes for full-stack integration with AM (6.5.2 in this test) and check that it's possible to login to each IDM node via AM.

      4). For the problem, access the registration page on a node directly, for example:


      ...follow the process and verify the email, ensuring that the request goes back to the originating node.  The user should be created and then it should be possible to authenticate to AM and then be redirected back to IDM as the new user.

      Repeat the process but this time adjust the URL so that the token is sent back to the non-originating node.  This time the flow will fail in IDM where the following request:


      ...which has the JWT in the POST body will return a 400 response:

      {"code":400,"reason":"Bad Request","message":"Invalid token"} 

      ...with the following in the IDM logs:

      [262] Sep 03, 2019 3:15:43.115 PM org.forgerock.selfservice.core.AnonymousProcessService logAndAdaptException
      FINE: Resource exception intercepted
      org.forgerock.json.resource.BadRequestException: Invalid token
      	at org.forgerock.selfservice.core.AnonymousProcessService.progressProcess(AnonymousProcessService.java:194)
      	at org.forgerock.selfservice.core.AnonymousProcessService.handleAction(AnonymousProcessService.java:115)
      	at org.forgerock.openidm.selfservice.impl.SelfServiceProcessHandler.handleAction(SelfServiceProcessHandler.java:218)
      	at org.forgerock.json.resource.Router.handleAction(Router.java:251)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:55)
      	at org.forgerock.json.resource.Filters$ConditionalFilter.filterAction(Filters.java:44)
      	at org.forgerock.json.resource.Filters$ConditionalFilter.filterAction(Filters.java:42)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:53)
      	at org.forgerock.json.resource.Filters$ConditionalFilter.filterAction(Filters.java:44)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleAction(FilterChain.java:53)
      	at org.forgerock.openidm.authz.DelegatedAdminFilter.lambda$filterAction$0(DelegatedAdminFilter.java:187)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:260)
      	at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:224)
      	at org.forgerock.openidm.authz.DelegatedAdminFilter.filterRequest(DelegatedAdminFilter.java:260)





            ramya.srinivassan Ramya Srinivassan
            andy.itter Andy Itter
            QA Assignee:
            Michal Orlik Michal Orlik
            0 Vote for this issue
            4 Start watching this issue