[OPENAM-14147] arg=newsession in XUI just shows the "Loading..." page Created: 18/Dec/18  Updated: 29/Jul/19  Resolved: 17/Jan/19

Status: Resolved
Project: OpenAM
Component/s: authentication, XUI
Affects Version/s: 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6
Fix Version/s: 13.5.3, 14.1.2, 6.0.0.7, 6.5.1, 6.5.0.2, 6.0.1, 5.5.2, 7.0.0

Type: Bug Priority: Major
Reporter: C-Weng C Assignee: C-Weng C
Resolution: Fixed Votes: 1
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Sprint: AM Sustaining Sprint 58, AM Sustaining Sprint 59
Story Points: 2
Needs backport:
Yes
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

When there is a session and then if XUI is logged in as
http://<am>/openam/XUI/?realm=/test&arg=newsession#login/
the following does not show any login screen and stuck with a
blank (or Loading...) page.

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Create a test realm
  2. Login to the realm /test as demo user
  3. On another tab access http://<am>/openam/XUI/?realm=/test&arg=newsession#login/

The purpose of arg=newsession is also to remove say any session upgrade use.
The XUI seems to clear the session but to logout request is seen where the latter one is seen as DENIED. There is not page rendering to redirect to ask for the login page.

Expected behaviour
The URL http://<am>/openam/XUI/?realm=/test&arg=newsession#login/ should destroy the old session and ask to login with a new one (like ForceAuth)
Current behaviour
When there is a logged in session access http://<am>/openam/XUI/?realm=/test&arg=newsession#login/ the 2nd time does not work and stuck then.Until the next reload of this page.

Work around

-

Code analysis

a) The code when having arg=newsession set this as A REST call to AM
b) When there is a session (as part of the SSO Cookie), the empty POST
/json/authenticate?arg=newsession (with the SSO cookie) and returns
the reflected

{ "tokenId": <id> }

in the payload
c) This then XUI do a session logout (which does a REST logout)
d) However there is no way that it can continue rendering as the payload
does not have any callback and also the tokenId is clear (but it ends in
that pay). So there is no way to render a page that is with existing session
nor a way to render the needed calback this needs.

PS: It seem /json/authenticate?arg=newsession does not do server side clearing
of session (this is fine)

e) It would then seems that XUI should detect arg=newsession, clear the session or retry the authn w/o arg=newsession?



 Comments   
Comment by C-Weng C [ 17/Jan/19 ]

Will need to be in 6.0.0.x / 6.5.0.x

Comment by Ľubomír Mlích [ 12/Apr/19 ]

Reproduced in ForgeRock Access Management 6.5.0.1 Build d239585362 (2019-January-15 06:37) - loading page was stuck
Verified as fixed in ForgeRock Access Management 6.5.0.2-RC1 Build a90937dad2 (2019-April-10 15:58) - I could login

Comment by Ľubomír Mlích [ 18/Apr/19 ]

Reproduced in ForgeRock Access Management 6.0.0.6 Build 92d60f32d1 (2018-November-26 06:25) - loading page was stuck
Verified as fixed in ForgeRock Access Management 6.0.0.7-M1 Build a1bc4f9d0b (2019-April-10 09:57) - I could login

Comment by Filip Kubáň [X] (Inactive) [ 29/Jul/19 ]

Verified on ForgeRock Access Management 5.5.2-M6 Build 871fe7a608 (2019-July-23 10:08)

Login page is visible and functioning.

Generated at Sat Nov 28 11:10:32 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.