[OPENAM-8336] XUI+REST authentication with chains must have sticky load balancing Created: 11/Feb/16  Updated: 10/Jan/19  Resolved: 13/Mar/18

Status: Closed
Project: OpenAM
Component/s: authentication, rest, XUI
Affects Version/s: 12.0.2, 13.0.0, 13.5.0, 14.0.0
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: Andrew Dunn [X] (Inactive) Assignee: Unassigned
Resolution: Won't Fix Votes: 12
Labels: AME, dev-ops, docker
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Duplicate
is duplicated by OPENAM-9263 Password Reset results in "Incorrect ... Resolved
is duplicated by OPENAM-10399 Authentication for OpenAM in a site r... Closed
Relates
relates to OPENAM-13861 Social Authentication Tree does not c... Resolved
relates to OPENAM-10399 Authentication for OpenAM in a site r... Closed
relates to OPENAM-12221 AM REST Authentication Login State is... Closed
is related to OPENAM-2820 REST Authentication with multiple cal... Resolved
is related to OPENAM-8269 "AuthId JWT Signature not valid" erro... Resolved
is related to OPENAM-4396 RestAuthException: Incorrect number o... Closed
is related to OPENAM-12675 One-step authentication in a cluster ... Closed
is related to OPENAM-7823 REST Authentication Scripted authenti... Closed
Epic Link: Stateless Authentication
Support Ticket IDs:

 Description   

In a multi-server setup without stickiness working in a load balancer, and authentication to a chain taking place across multiple servers, authentication will fail.
It should be possible to authenticate even if amlbcookie is not recognised or used properly by the load balancer.

Steps to reproduce:

1. Setup server-1 and server-2 behind a LB without stickiness.
2. Configure a chain with LDAP (required) and HOTP (required)
3. POST to server-1, json/authenticate?authIndexType=service&authIndexValue=hotptest
4. Fill-in callbacks and POST response to server-2
5. Fill-in callbacks returned from server-2 and POST to server-1

Response back from server-1 is

{"code":400,"reason":"Bad Request","message":"Required callback not found in JSON response"}

Stacktrace on server-1:

AuthContextLocal:: Status : in_progress
amAuthContextLocal:02/11/2016 11:55:01:818 AM GMT: Thread[http-bio-8080-exec-8,5,main]
AuthContextLocal::getRequirements()
amAuth:02/11/2016 11:55:01:818 AM GMT: Thread[http-bio-8080-exec-8,5,main]
getStatus : status is... : 2
amAuth:02/11/2016 11:55:01:818 AM GMT: Thread[http-bio-8080-exec-8,5,main]
getStatus : status is... : 2
amAuthContextLocal:02/11/2016 11:55:01:818 AM GMT: Thread[http-bio-8080-exec-8,5,main]
In getCallbacks() callback : com.sun.identity.authentication.spi.PagePropertiesCallback@60c60fa0
amAuthContextLocal:02/11/2016 11:55:01:818 AM GMT: Thread[http-bio-8080-exec-8,5,main]
In getCallbacks() callback : javax.security.auth.callback.NameCallback@124aca87
amAuthContextLocal:02/11/2016 11:55:01:818 AM GMT: Thread[http-bio-8080-exec-8,5,main]
In getCallbacks() callback : javax.security.auth.callback.PasswordCallback@35691983
amAuthREST:02/11/2016 11:55:01:818 AM GMT: Thread[http-bio-8080-exec-8,5,main]
ERROR: Required callback not found in JSON response
amAuthUtils:02/11/2016 11:55:01:818 AM GMT: Thread[http-bio-8080-exec-8,5,main]
URL name : PostProcessLoginFailureURL Value : Not set - null or empty string
amAuth:02/11/2016 11:55:01:818 AM GMT: Thread[http-bio-8080-exec-8,5,main]
processURL : null
amAuthREST:02/11/2016 11:55:01:818 AM GMT: Thread[http-bio-8080-exec-8,5,main]
AuthenticationService.authenticate() :: Rest Authentication Exception
org.forgerock.openam.forgerockrest.authn.exceptions.RestAuthException: Required callback not found in JSON response
        at org.forgerock.openam.forgerockrest.authn.RestAuthCallbackHandlerManager.handleJsonCallbacks(RestAuthCallbackHandlerManager.java:149)
        at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.handleCallbacks(RestAuthenticationHandler.java:304)
        at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:235)
        at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:160)
        at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:109)
        at org.forgerock.openam.forgerockrest.authn.restlet.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:127)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at org.restlet.resource.ServerResource.doHandle(ServerResource.java:503)
        at org.restlet.resource.ServerResource.post(ServerResource.java:1216)
        at org.restlet.resource.ServerResource.doHandle(ServerResource.java:592)
        at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:649)
        at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:348)
        at org.restlet.resource.ServerResource.handle(ServerResource.java:952)
        at org.restlet.resource.Finder.handle(Finder.java:246)
        at org.forgerock.openam.rest.service.VersionRouter.handle(VersionRouter.java:139)
        at org.forgerock.openam.rest.service.ServiceRouter$RestletWrapper.handle(ServiceRouter.java:163)
        at org.restlet.routing.Filter.doHandle(Filter.java:159)
        at org.restlet.routing.Filter.handle(Filter.java:206)
        at org.restlet.routing.Router.doHandle(Router.java:431)
        at org.forgerock.openam.rest.service.RestletRealmRouter.doHandle(RestletRealmRouter.java:106)
        at org.restlet.routing.Router.handle(Router.java:648)
        at org.forgerock.openam.rest.service.ServiceRouter.handle(ServiceRouter.java:144)
        at org.restlet.routing.Filter.doHandle(Filter.java:159)
        at org.restlet.routing.Filter.handle(Filter.java:206)
        at org.restlet.routing.Filter.doHandle(Filter.java:159)
        at org.restlet.routing.Filter.handle(Filter.java:206)
        at org.restlet.routing.Filter.doHandle(Filter.java:159)
        at org.restlet.engine.application.StatusFilter.doHandle(StatusFilter.java:155)
        at org.restlet.routing.Filter.handle(Filter.java:206)
        at org.restlet.routing.Filter.doHandle(Filter.java:159)
        at org.restlet.routing.Filter.handle(Filter.java:206)
        at org.restlet.engine.CompositeHelper.handle(CompositeHelper.java:211)
        at org.restlet.engine.application.ApplicationHelper.handle(ApplicationHelper.java:84)


 Comments   
Comment by Peter Major [X] (Inactive) [ 18/Mar/16 ]

Unassigning this for now, we will probably need engineering involvement on this one.

Comment by Jonathan Scudder [ 21/Mar/16 ]

This is an RFE rather than a bug. Considering for an upcoming sprint.

Comment by Simon Harding [ 05/Jul/16 ]

This is something that did work in earlier versions of OpenAM and now does not. Customers are finding that when they upgrade from earlier versions of OpenAM and start using the XUI, that there is now a requirement to use sticky load balancing. This requirement is not documented. Therefore in my opinion it is a bug.

Note that this error occurs in several other situations, not just when using two authentication modules in a chain. This includes when a user changes a password when their password has expired (LDAP behera support - see OPENAM-9263).

Comment by Bernhard Thalmayr [ 01/Aug/16 ]

sticky load balancing can never be achieved to 100% (think of SSL/TLS from browser to OpenAM). Actually this was the reason why 'cross-talk' had been introduced in the early days of the product. --> it should be considered a bug and not an RFE.

Comment by Bernhard Thalmayr [ 01/Aug/16 ]

actually it should be considered a blocking bug

Comment by Andy Hall [ 01/Aug/16 ]

This is an important issue but can't be done for AM14. Changed labels and target version to reflect reality and for transparency.

Comment by Andy Hall [ 02/Oct/17 ]

Containing Epic scheduled for AM6.

Comment by Buddhadeb Das [ 16/Nov/17 ]

Hi All,

Could you please let me know if this issue will be resolved in AM6 if so when is the AM6 scheduled for release ?

Also let me know if a patch can be provided on top of OpenAM 13.5 to fix this issue.

 

Thanks,

Buddhadeb

Comment by Dipu Seminlal [ 13/Mar/18 ]

Stateless Authentication only be supported on Auth Trees and not on chains

Comment by Simon Moffatt [ 13/Mar/18 ]

The functionality described by this Jira has been completed in v6.0 nightly. The functionality is, however, only accessible when using the authentication trees component.

Comment by Biswajit Sahoo [ 22/Mar/18 ]

We are waiting for this fix , now its mentioned it will not fix for Authentication chain , but its fixed for tree. So if your client is using the Authentication chain, does you want them to migrate to Auth tree to fix this issue. So there is a cost involved to the customer isn't it.  

Generated at Sun Sep 27 07:04:22 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.