[OPENAM-12418] Unable to access Forgerock OATH for users with Profile when caching disable Created: 09/Feb/18  Updated: 17/Apr/19  Resolved: 24/Feb/18

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 12.0.4, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 5.5.1
Fix Version/s: 12.0.5, 13.5.3, 6.0.0, 14.1.2, 5.5.2

Type: Bug Priority: Major
Reporter: C-Weng C Assignee: C-Weng C
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

User data caching disabled

Issue Links:
is duplicated by OPENAM-14677 Cannot use push and OATH registration... Resolved
Target Version/s:
Sprint: AM Sustaining Sprint 48
Story Points: 3
Needs backport:
Support Ticket IDs:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

When using a module with FR OATH but all the AM caching is disabled. Accessing the FR OATH module throws:


javax.security.auth.login.LoginException: java.lang.NullPointerException
        at org.forgerock.openam.core.rest.devices.UserDevicesDao.getDeviceProfil
        at org.forgerock.openam.authentication.modules.fr.oath.OathMaker.getDevi
        at org.forgerock.openam.authentication.modules.fr.oath.AuthenticatorOATH
        at org.forgerock.openam.authentication.modules.fr.oath.AuthenticatorOATH
        at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLogin
        at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.


How to reproduce the issue

1. Disable AM caching for user


2. Create a new realm /2fa

3. Create te datastore with naming authentication as mail, search alias = uid, Create a user with mail. Similarly do the same with an LDAP module with mail as te naming authenticatio ( REQUIRED). Create a new chain for the FROATH

4. Login to LDAP module for realm /2fa and then later access the FROATH with the above user (which does not have the oath2device profile). The exception is seen

Expected behaviour
No exception and proceed to 2FA
Current behaviour
Auth module fails with server error

Work around

Enable back the IDM/user cache

 * Returns the values of the requested attribute. Returns an empty set, if
 * the attribute is not set in the object.
 * This method is only valid for AMIdentity objects of type User, Agent,
 * Group, and Role.
 * @param attrName
 *            Name of attribute
 * @return Set of attribute values.
public Set getAttribute(String attrName) throws IdRepoException,
        SSOException {

    Set attrNames = new HashSet();
    IdServices idServices = IdServicesFactory.getDataStoreServices();
    Map valMap = idServices.getAttributes(token, type, name, attrNames,
 orgName, univDN, true);
 return ((Set) valMap.get(attrName));

As the attribute is not found this cause a NPE on the UserDeviceDAO. The API contract suggest the call should not return null (but and empty collection) but it seems that all the other previous code idiom may do a null check too. (so some old code assumes null is possible)

Comment by C-Weng C [ 23/Feb/18 ]

Other possible symptoms

This possible is the same when the attribute returns is not a empty set and later cause issues.

        at java.util.AbstractCollection.addAll(AbstractCollection.java:343)
        at org.forgerock.openam.session.stateless.AgentSessionNotificationURLsProvider.getSessionEventURLs(AgentSessionNotificationURLsProvider.java:78)
        at org.forgerock.openam.sso.providers.stateless.StatelessSession.getPLLNotificationURLs(StatelessSession.java:377)
Generated at Fri Nov 27 06:22:32 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.