[OPENAM-7021] XUI login script queries "/openam/json/users?realm=/?_action=idFromSession" Created: 03/Oct/15  Updated: 23/Feb/16  Resolved: 06/Oct/15

Status: Resolved
Project: OpenAM
Component/s: authentication, oauth2, XUI
Affects Version/s: 13.0.0
Fix Version/s: 13.0.0

Type: Bug Priority: Blocker
Reporter: hadi hahmadi Assignee: Joe Bandenburg [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: 13.0.0-Must-Fix, AME, TESLA, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Ubuntu 64-bit, tomcat7, OpenAM 13.0.0 build Oct 2.


Attachments: PNG File idFromSession.png    
Target Version/s:
Sprint: Sprint 95 - Team Tesla

 Description   

XUI login obliviously adds`?_action=idFromSession` to the authenticate query parameters while targeting /openam/json/users. So, when authentication already has a param like `?realm=/`, the . See attached image.



 Comments   
Comment by Neil Madden [ 03/Oct/15 ]

XUI URLs always use #&realm=/ form in the uri fragment. Actual URI query parameters are not supported as far as I know.

Comment by Neil Madden [ 03/Oct/15 ]

Possible duplicate of OPENAM-5387 which seems to have been closed as a docs bug.

Comment by Neil Madden [ 03/Oct/15 ]

That said, there are source code checkins associated with that bug, so possibly this is a regression. Will double check with the XUI team on Monday.

Comment by hadi hahmadi [ 03/Oct/15 ]

Seems there has been a misunderstanding. This is what I observe:

  • Access Login page by browsing to "/openam/XUI/#login/&realm=/"
  • Enter credentials and click log-in.
  • Login error message is received.
  • Opening the network tab of Chrome developer (see above picture) I saw XUI JS code sends two sequential queries to the backend:
    1- POST to /openam/json/authenticate?realm=/ which returns
    {
    "tokenId":"AQIC5wM2LY4Sfcybl0QAgmp7FHyGEYvyOxeLQ2DNyJ4L-Eo.*AAJTSQACMDEAAlNLABQtNjUzNjYzNjE0NDU0MTEwMzcyMgACUzEAAA..*",
    "successUrl":"/openam/console"
    }
    

    2- POST to /openam/json/users?realm=/?_action=idFromSession which because of two '?' characters, returns 500 Internal Server Error

Comment by Neil Madden [ 03/Oct/15 ]

Thanks for the reproduction steps. That is definitely a bug. As a workaround can you confirm if the #login/<realm> syntax works for you? I.e. For top level realm just XUI/#login/ or for a sub-realm 'foo' it would be XUI/#login/foo.

Comment by hadi hahmadi [ 03/Oct/15 ]

Unfortunately, this behavior is observed as a result of OIDC flow, i.e., a 301 redirect response with

Location: ***/openam/UI/Login?realm=%2F&***

when browser accesses /openam/oauth2/authorize and user is not authenticated. That I cannot work around!

Comment by Neil Madden [ 03/Oct/15 ]

That is unfortunate. I don't know another workaround short of disabling the XUI completely.

Comment by Peter Major [X] (Inactive) [ 05/Oct/15 ]

Reproducible with SAML2 as well :/

Comment by hadi hahmadi [ 06/Oct/15 ]

Can I use the patch in my nightly build? Is it as easy as replacing UserModel.js or maybe XUI/main.js from that of the last build?
I did the above, but didn't observe the behavior fixed!

Comment by Joe Bandenburg [X] (Inactive) [ 06/Oct/15 ]

It isn't that easy. You'll also need to copy over src/main/js/main.js. Otherwise you'll be using the minified main.js (which includes a version of UserModel).

Generated at Sat Oct 24 06:48:58 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.