[OPENAM-3335] REST authentication inconsistency with ZPL Created: 20/Nov/13  Updated: 04/Feb/14  Resolved: 04/Feb/14

Status: Resolved
Project: OpenAM
Component/s: authentication, rest
Affects Version/s: 11.0.0
Fix Version/s: 12.0.0

Type: Bug Priority: Major
Reporter: Peter Major [X] (Inactive) Assignee: Phill Cunnington
Resolution: Won't Fix Votes: 0
Labels: AME, RestAuthn
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: Sprint 48


Configure the following chain:
PersistentCookie SUFFICIENT

Make this chain the default org chain in the realm.

Now if you try to perform ZPL:

curl -v -d "" -H "X-OpenAM-Username:demo" -H "X-OpenAM-Password:changeit" -H "Content-Type: application/json" http://openam.example.com:8080/openam/json/authenticate

You'll get back a token ID and a session-jwt cookie in the response.

If you then do a semi-zero page login using the POST payload:

curl -v -d '{ "template": "", "stage": "DataStore1", "callbacks": [ { "type": "NameCallback", "output": [ { "name": "prompt", "value": " User Name: " } ], "input": [ { "name": "IDToken1", "value": "demo" } ] }, { "type": "PasswordCallback", "output": [ { "name": "prompt", "value": " Password: " } ], "input": [ { "name": "IDToken2", "value": "changeit" } ] } ] }' -H "Content-Type: application/json" http://openam.example.com:8080/openam/json/authenticate

then you get back the same set of callbacks with an authId and no session-jwt cookie. Submitting the POST with the received authId will result in a successful authn with session-jwt cookie, however I'm not sure why this two authentication method differs.

Comment by Phill Cunnington [ 04/Feb/14 ]

Have tried both the curl requests and both times I get a tokenId in the response body json and a session-jwt cookie. I cannot see any differences between the two response.

Please re-open with further information if still reproduceable.

Comment by Phill Cunnington [ 04/Feb/14 ]

Re-opening as managed to reproduce issue.

Comment by Phill Cunnington [ 04/Feb/14 ]

I would say that this isn't actually an inconsistency as what is happening is that the second curl example is submitting the callbacks, with values, for the second stage of the authentication process (the first stage being the persistent cookie).

Importantly is that the post body with the callbacks is not passed on the second stage, this is because zero-page login is only supported for single stage authentication and because of increasing the complexity of handling the post body i.e. what if the auth chain had two modules which took a username and password? how would the authentication process know which module the username and password is for?

Basically i think it comes down to the fact the authentication endpoint can only accept callbacks for the current stage of the authentication. Hence trying to do zero-page login (which is effectively what this is) with two auth modules configured will not work.

Generated at Sun Sep 27 19:31:36 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.