[OPENAM-16257] tokenid is not returned in session upgrade request with ForceAuth=true Created: 20/May/20  Updated: 22/May/20  Resolved: 22/May/20

Status: Closed
Project: OpenAM
Component/s: session
Affects Version/s: 7.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Ľubomír Mlích Assignee: Unassigned
Resolution: Not a defect Votes: 0
Labels: regression
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File session_upgrade_test_clp.sh    
Issue Links:
Regression
Relates
relates to AMAGENTS-3496 Modify testing custom login page to w... Closed
is related to AMAGENTS-3331 5.7 - WPA - AM Compatibility Closed

 Description   

Bug description

When sessionupgrade is called with ForceAuth=true, upgrade succeeds, but tokenid is not returned

POST /openam/json/realms/root/authenticate?ForceAuth=true&sessionUpgradeSSOTokenId=C4QUsxbZwsva1LoeHQfEALgi4hE.*AAJTSQACMDEAAlNLABw3dEJ3bitvN0htaWFkU0d3M2FWYUJQazhBdlE9AAR0eXBlAANDVFMAAlMxAAA.*&authIndexType=Module&authIndexValue=LDAP HTTP/1.1
Host: openam.localtest.me:8080
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
X-OpenAM-Username: demo
X-OpenAM-Password: changeit
Content-Type: application/json
Accept-API-Version: resource=2.0, protocol=1.0
Content-Length: 0


HTTP/1.1 200 
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: amlbcookie=01; Domain=localtest.me; Path=/
Cache-Control: no-cache, no-store, must-revalidate
Content-API-Version: resource=2.1
Expires: 0
Pragma: no-cache
Content-Type: application/json
Content-Length: 57
Date: Wed, 20 May 2020 06:31:53 GMT
Keep-Alive: timeout=20
Connection: keep-alive


{"tokenId":"","successUrl":"/openam/console","realm":"/"}

How to reproduce the issue

  1. setup AM at http://openam.localtest.me:8080/openam
  2. add policy to allow all authenticated users to access http://agent.localtest.me:80/index.html
  3. add policy to allow all users authenticated to module LDAP to access http://agent.localtest.me:80/sessionupgrade/index.html
  4. run session_upgrade_test_clp.sh
Expected behaviour
tokenId is displayed 

{
    "realm": "/",
    "successUrl": "/openam/console",
    "tokenId": "QMPFUIA32fqL8VxpQLIjSVLlJeA.*AAJTSQACMDEAAlNLABxYTEpvRnA4cTJVSzRIS3NiYXR4UU5JMFdpRFU9AAR0eXBlAANDVFMAAlMxAAA.*"
}
Current behaviour
tokenId is empty in AM reply

{
    "realm": "/",
    "successUrl": "/openam/console",
    "tokenId": ""
}

Work around

Don't use ForceAuth=True



 Comments   
Comment by Ľubomír Mlích [ 20/May/20 ]

Not sure what to do with this issue as OPENAM-15606 was reopened due to this. Should this be marked as duplicate?

Comment by Ľubomír Mlích [ 20/May/20 ]

Because of this change agent custom login page used for testing broke. If some customers use similar request with ForceAuth=true, their custom login page will break too.

Comment by Andrew Vinall [ 22/May/20 ]

Bug Triage: The behaviour has changed as a result of OPENAM-15606 so the tests will need to be updated to reflect this.

Generated at Fri Nov 27 17:04:05 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.