[OPENAM-11789] User remains on 'Loading' page with 'OAuth2.0/OIDC' auth module if authId token expires before entering credentials Created: 19/Sep/17  Updated: 11/Oct/18  Resolved: 29/Sep/17

Status: Resolved
Project: OpenAM
Component/s: authentication, oauth2
Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0
Fix Version/s: 13.5.2, 6.0.0, 14.1.2, 5.5.2

Type: Bug Priority: Major
Reporter: Andy Itter Assignee: Adam Heath
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to OPENAM-11391 Requesting 'OAuth2.0/OIDC' auth modu... Resolved
is related to OPENAM-12009 Unknown error in Oauth2/OIDC when use... Open
Target Version/s:
Sprint: AM Sustaining Sprint 43
Story Points: 5
Needs backport:
Yes
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

A user remains stuck on an XUI 'Loading' page when using the 'OAuth2.0/OIDC' auth module if the authId token is allowed to expire before they submit their credentials on a remote IDP which then redirects back to AM.

How to reproduce the issue (Google can be used to test)

1. Go to https://console.developers.google.com
2. Create a project and set the redirect uri to be http://am.fqdn:port/am/oauth2c/OAuthProxy.jsp
3. Find the project's client ID and client secret
4. In AM create an OAuth 2/OIDC authentication module using information from step 3.

5. Create user in OpenAM with same email as user you are logging to google.

To test:

  1. Request http://am.example.com:port/am/XUI/&module=oauth2#login (or simply set the module to be the default for the organisation).  The redirect to Google will take place as expected.
  2. Allow the authId token to expire and then enter the user credentials.
  3. The user is redirected back to AM as expected but remains on a 'Loading' page rather than the profile being displayed as would be expected in this particular test.
Expected behaviour

In this particular test the user profile should be displayed.

Current behaviour

Currently after the redirect back to AM the user remains on a page in the XUI with 'Loading' in the top left corner.

Work arounds

1. Consider adjusting the timeout in /<openam_webapp>/config/auth/default_xx/OAuth.xml and also the 'Invalidate Session Max Time' setting although the behaviour would remain if this increased value was exceeded.

Reference: https://backstage.forgerock.com/knowledge/kb/article/a23597700

2. Clear the cookies in the browser and try again.



 Comments   
Comment by Andy Itter [ 20/Sep/17 ]

Just to clarify the behaviour when increasing the timeout as a workaround (test with 13.5.0 with fixes for OPENAM-10320 and OPENAM-8581)

Check the timeout in OAuth.xml - 60 seconds by default.
'Invalidate Session Max Time' - 3 minutes by default.

1). Leave it for just more than 60 seconds on the Google login page after redirection from AM - receive the 'Unable to Login to OpenAM' page with a Session Timeout pop-up after redirect back to AM.  Clicking 'Return to Login works' and the user profile is displayed.

2). Leave it for longer than the 'Configure > Server Defaults > Session > Session Limits > Invalidate Session Max Time' where the default is 3 minutes - this is when the user remains stuck on the 'Loading...' page.

Therefore these two values can be increased to adjust the behaviour as appropriate.

Comment by Ľubomír Mlích [ 27/Oct/17 ]

If there is no user with email used to log in to google, there will be "Unknown error" and NPE in debug:

WARNING: Could not invoke method:
java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.forgerock.openam.http.annotations.AnnotatedMethod.invoke(AnnotatedMethod.java:76)
    at org.forgerock.openam.http.annotations.Endpoints$1.handle(Endpoints.java:64)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.openam.audit.AbstractHttpAccessAuditFilter.filter(AbstractHttpAccessAuditFilter.java:65)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:80)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.openam.rest.RealmRoutingFactory$ChfRealmRouter.handle(RealmRoutingFactory.java:139)
    at org.forgerock.http.handler.Handlers$UndescribedAsDescribableHandler.handle(Handlers.java:179)
    at org.forgerock.openam.rest.RealmRoutingFactory$HostnameFilter.filter(RealmRoutingFactory.java:116)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:56)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:193)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$200(AuthenticationFramework.java:56)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$2.apply(AuthenticationFramework.java:185)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$2.apply(AuthenticationFramework.java:178)
    at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:247)
    at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:236)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:141)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:133)
    at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:84)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.openam.http.GuiceHandler.handle(GuiceHandler.java:51)
    at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:206)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:62)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:139)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:70)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:52)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:53)
    at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:236)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.forgerock.openam.rest.ProtocolVersionFilter.doFilter(ProtocolVersionFilter.java:65)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:36)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:80)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
    at org.forgerock.openam.core.rest.authn.RestAuthCallbackHandlerManager.handleCallbacksInternally(RestAuthCallbackHandlerManager.java:96)
    at org.forgerock.openam.core.rest.authn.RestAuthCallbackHandlerManager.handleCallbacks(RestAuthCallbackHandlerManager.java:62)
    at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.handleCallbacks(RestAuthenticationHandler.java:307)
    at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:243)
    at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:261)
    at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:165)
    at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:112)
    at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:153)
    ... 80 more

Comment by Ľubomír Mlích [ 27/Oct/17 ]

I see "Unable to login" page with empty red rectangle without any error in OpenAM 14.1.1 Build 2de1c7b98b (2017-August-09 12:33) instead of "Loading"
And user is logged in to OpenAM 14.1.2-M1 Build ec49e2d3c5 (2017-October-03 13:59) 

Is it ok as verification?

Comment by Ľubomír Mlích [ 27/Oct/17 ]

Reproduced in OpenAM 13.5.0 Build 550cfe7d60 (2016-July-13 08:43) 

Comment by Ľubomír Mlích [ 27/Oct/17 ]

Actually I see "Loading" after step 1 of test before redirect to google. No need to wait for access token expiration in 13.5.0.

And same in OpenAM 13.5.2-M7 Build 1d3e4900c0 (2017-October-20 09:14).

Comment by Ľubomír Mlích [ 27/Oct/17 ]

There was error in my request using ? instead of &.
Verified in OpenAM 13.5.2-M7 Build 1d3e4900c0 (2017-October-20 09:14)

Generated at Thu Dec 03 20:00:03 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.