[OPENAM-16257] tokenid is not returned in session upgrade request with ForceAuth=true Created: 2020-05-20  Updated: 2020-05-22  Resolved: 2020-05-22

Status: Closed
Project: OpenAM
Component/s: session
Affects Version/s: 7.0.0
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Ľubomír Mlích Assignee: Unassigned
Resolution: Not a defect Votes: 0
Labels: regression
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File session_upgrade_test_clp.sh    
Issue Links:
relates to AMAGENTS-3496 Modify testing custom login page to w... Closed
is related to AMAGENTS-3331 5.7 - WPA - AM Compatibility Closed
Rank: 1|i010lb:


Bug description

When sessionupgrade is called with ForceAuth=true, upgrade succeeds, but tokenid is not returned

POST /openam/json/realms/root/authenticate?ForceAuth=true&sessionUpgradeSSOTokenId=C4QUsxbZwsva1LoeHQfEALgi4hE.*AAJTSQACMDEAAlNLABw3dEJ3bitvN0htaWFkU0d3M2FWYUJQazhBdlE9AAR0eXBlAANDVFMAAlMxAAA.*&authIndexType=Module&authIndexValue=LDAP HTTP/1.1
Host: openam.localtest.me:8080
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
X-OpenAM-Username: demo
X-OpenAM-Password: changeit
Content-Type: application/json
Accept-API-Version: resource=2.0, protocol=1.0
Content-Length: 0

HTTP/1.1 200 
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: amlbcookie=01; Domain=localtest.me; Path=/
Cache-Control: no-cache, no-store, must-revalidate
Content-API-Version: resource=2.1
Expires: 0
Pragma: no-cache
Content-Type: application/json
Content-Length: 57
Date: Wed, 20 May 2020 06:31:53 GMT
Keep-Alive: timeout=20
Connection: keep-alive


How to reproduce the issue

  1. setup AM at http://openam.localtest.me:8080/openam
  2. add policy to allow all authenticated users to access http://agent.localtest.me:80/index.html
  3. add policy to allow all users authenticated to module LDAP to access http://agent.localtest.me:80/sessionupgrade/index.html
  4. run session_upgrade_test_clp.sh
Expected behaviour
tokenId is displayed 

    "realm": "/",
    "successUrl": "/openam/console",
Current behaviour
tokenId is empty in AM reply

    "realm": "/",
    "successUrl": "/openam/console",
    "tokenId": ""

Work around

Don't use ForceAuth=True

Comment by Ľubomír Mlích [ 2020-05-20 ]

Not sure what to do with this issue as OPENAM-15606 was reopened due to this. Should this be marked as duplicate?

Comment by Ľubomír Mlích [ 2020-05-20 ]

Because of this change agent custom login page used for testing broke. If some customers use similar request with ForceAuth=true, their custom login page will break too.

Comment by Andrew Vinall [ 2020-05-22 ]

Bug Triage: The behaviour has changed as a result of OPENAM-15606 so the tests will need to be updated to reflect this.

Generated at Sun Jun 13 04:53:31 UTC 2021 using Jira 8.16.0#816000-sha1:a455b91378454416b49bbc88d03e653cb9815ed5.