[OPENAM-4089] Session Upgrade via REST is not consistent with LVB behaviour Created: 12/Jun/14  Updated: 20/Nov/16  Resolved: 17/Dec/14

Status: Resolved
Project: OpenAM
Component/s: session
Affects Version/s: 12.0.0
Fix Version/s: 12.0.0

Type: Bug Priority: Major
Reporter: Nemanja Lukic Assignee: Rich Riley [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: AME
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
depends on OPENAM-5321 Cross realm session upgrade not handl... Resolved
Sprint: Sprint 60, Sprint 61, Sprint 62, Sprint 63, Sprint 64 - Team Tesla, Sprint 65 - Team Tesla, Sprint 71 - Team Tesla
Support Ticket IDs:
QA Assignee: Nemanja Lukic


Behaviour of the session upgrade (SU) functionality via REST interface is not consistent with the way it behaves with LVB.

When module is used

The case where LVB behaviour of SU when module is specified differs from REST intraface is as follows:

  1. access to openam/UI/Login?module=DataStore
  2. log in screen is presented
  3. log in as demo/changeit
  4. user profile is presented
  5. Access openam/UI/Login?module=DataStore again
  6. user profile is presented
  7. session is not upgraded, the token remains the same


  1. empty POST to openam/json/authenticate?authIndexType=module&authIndexValue=DataStore
  2. a callback is returned
  3. POST to openam/json/authenticate?authIndexType=module&authIndexValue=DataStore with the callback containing demo/changeit cedentials
  4. SSO token is returned
  5. empty POST to openam/json/authenticate?authIndexType=module&authIndexValue=DataStore&sessionUpgradeSSOTokenId=TOKEN (the same URL as before just with sessionUpgradeSSOTokenId parameter containing the original session token)
  6. a callback is returned
  7. POST to openam/json/authenticate?authIndexType=module&authIndexValue=DataStore with the callback containing demo/changeit cedentials
  8. new SSO token is returned and the old one has been invalidated
  9. session upgrade occurs

IMHO, when the second post is executed, it's misleading to reply with a callback since OpenAM should be able to reckognise this session as valid and should not upgrade the session.

Cross realm SU

In the case of cross realm session upgrade the LVB behaves like this:

  1. access openam/UI/Login?realm=realm1
  2. log in screen is presented
  3. log in as demo/changeit
  4. user profile is presented
  5. access openam/UI/Login?realm=realm1
  6. choice screen is presented asking if the user wants to log out
  7. answer YES
  8. logged out form realm1 and log in screen for realm2 is presented
  9. log in as demo/changeit
  10. user profile is presented
  11. original session is not valid, the new one is, but there was no session upgrade
  12. asnwer NO
  13. original session is intact, there is no other session, there is no session upgrade

The way REST interface behaviour differs is:

  1. create a session with realm1
  2. make an empty POST to the second realm passing the session upgrade parameter: openam/json/realm2/authenticate?sessionUpgradeSSOTokenId=TOKEN
  3. a choice callback is expected, instead a name and password callback are returned

If we continue from here, this is what happens:

  1. post the callback with credentials back to realm2
  2. new session is created
  3. old session is destroyed

Although the result is the same, the process along the way is a bit different.

Authentication level

The same case is observed with the authentication level in the following case:

  1. authentication level 0 is requested
  2. choice callback is returned with the choice of all modules that satisfy the requirement including those with higher level
  3. select level 10 module
  4. login screen is presented
  5. log in as demo/change it
  6. user profile screen is presented
  7. request authentication for the level 10
  8. in LVB, user profile screen is presented because this has already been satisfied so no session upgrade occurs
  9. in REST, name and password callbacks are returned requiring new authentication

Again, in the case of REST upon successful authentication, the old session is upgraded.

Exactly the same case occurs when the initial authentication level is 10 and then next one 0.

Comment by Nemanja Lukic [ 19/Nov/14 ]

Module behaviour verified in: OpenAM 12.0.0-SNAPSHOT Build 11445 (2014-November-19 02:36)

Comment by Nemanja Lukic [ 15/Dec/14 ]

Authentication level behaviour verified in: OpenAM 12.0.0 RC5

Comment by Nemanja Lukic [ 15/Dec/14 ]

Cross realm behaviour not consitent with LVB. More details here: OPENAM-5321

Comment by Peter Major [X] (Inactive) [ 17/Dec/14 ]

I'm resolving this issue since there is a separate one opened for the cross realm session upgrade problem.

Generated at Tue Nov 24 20:38:20 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.