search

OpenIdentityPlatform / OpenAM

OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
https://www.openidentityplatform.org/openam
Other
766 stars 149 forks source link

Configuring OpenID Connect may cause a hang if a token cannot be obtained by logging in dsamuser #693

Closed sp193 closed 7 months ago

sp193 commented 8 months ago

Describe the bug

Accessing the Configure OpenID Connect screen has the potential to hang. I only encountered it once so far. But I think the code may still need a design change and I am starting a discussion to discuss it. I'll explain why, at the bottom.

To Reproduce Steps to reproduce the behavior:

  1. Navigate from realm dashboard -> Configure OAuth Provider -> Configure OpenID Connect
  2. Hang is noted. Many logs are printed under "Authentication", "CoreSystem" and "Configuration" about authentication failure.

Expected behavior There should be no risk of freezing up.

Screenshots CoreSystem:

amSecurity:12/21/2023 01:28:19:943 PM SGT: Thread[http-nio-9090-exec-7,5,main]: TransactionId[1394baa8-5d26-4e49-b92e-201d481f7899-274]
ERROR: SystemAppTokenProvider.getAppSSOToken()
com.sun.identity.authentication.spi.AuthLoginException: Authentication Error!!|auth_error_template.jsp
    at com.sun.identity.authentication.AuthContext.runLogin(AuthContext.java:745)
    at com.sun.identity.authentication.AuthContext.login(AuthContext.java:638)
    at com.sun.identity.authentication.AuthContext.login(AuthContext.java:584)
    at com.sun.identity.authentication.AuthContext.login(AuthContext.java:418)
    at com.sun.identity.security.SystemAppTokenProvider.getAppSSOToken(SystemAppTokenProvider.java:80)
    at com.sun.identity.security.AdminTokenAction.getSSOToken(AdminTokenAction.java:316)
    at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:229)
    at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:77)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.forgerock.openam.core.CoreWrapper.getAdminToken(CoreWrapper.java:160)
    at org.forgerock.openam.rest.RealmContextFilter.evaluate(RealmContextFilter.java:232)
    at org.forgerock.openam.rest.RealmContextFilter.evaluate(RealmContextFilter.java:211)
    at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:86)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205)
    at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255)
    at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:170)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152)
    at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485)
    at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
    at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:555)
    at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:477)
    at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:468)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:147)
    at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.openam.http.GuiceHandler.handle(GuiceHandler.java:59)
    at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:214)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:69)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:122)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:70)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:254)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:86)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1790)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:750)
Caused by: com.sun.identity.authentication.service.AuthException: Authentication Error!!|auth_error_template.jsp
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:1052)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:878)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:858)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:825)
    at com.sun.identity.authentication.AuthContext.runLogin(AuthContext.java:717)
    ... 82 more
Caused by: com.sun.identity.authentication.service.AuthException: Authentication Error!!|auth_error_template.jsp
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:1018)
    ... 86 more
Caused by: com.sun.identity.authentication.service.AuthException: Authentication Error!!|auth_error_template.jsp
    at com.sun.identity.authentication.service.LoginState.populateOrgProfile(LoginState.java:872)
    at com.sun.identity.authentication.service.LoginState.createAuthContext(LoginState.java:4089)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:1006)
    ... 86 more

Configuration:

amSMS:12/21/2023 01:27:53:857 PM SGT: Thread[http-nio-9090-exec-7,5,main]: TransactionId[1394baa8-5d26-4e49-b92e-201d481f7899-274]
ERROR: OrganizationConfigManager: Unable to get Service Config
com.iplanet.sso.SSOException: SSO Token is not valid.
    at com.iplanet.sso.providers.dpro.SSOProviderImpl.validateToken(SSOProviderImpl.java:323)
    at com.iplanet.sso.SSOTokenManager.validateToken(SSOTokenManager.java:475)
    at com.sun.identity.sm.ServiceConfigManager.<init>(ServiceConfigManager.java:125)
    at com.sun.identity.sm.ServiceConfigManager.<init>(ServiceConfigManager.java:93)
    at com.sun.identity.sm.OrganizationConfigManager.getServiceConfig(OrganizationConfigManager.java:1180)
    at com.sun.identity.authentication.service.LoginState.populateOrgProfile(LoginState.java:674)
    at com.sun.identity.authentication.service.LoginState.createAuthContext(LoginState.java:4089)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:1006)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:878)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:858)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:825)
    at com.sun.identity.authentication.AuthContext.runLogin(AuthContext.java:717)
    at com.sun.identity.authentication.AuthContext.login(AuthContext.java:638)
    at com.sun.identity.authentication.AuthContext.login(AuthContext.java:584)
    at com.sun.identity.authentication.AuthContext.login(AuthContext.java:418)
    at com.sun.identity.security.SystemAppTokenProvider.getAppSSOToken(SystemAppTokenProvider.java:80)
    at com.sun.identity.security.AdminTokenAction.getSSOToken(AdminTokenAction.java:316)
    at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:229)
    at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:77)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.forgerock.openam.core.CoreWrapper.getAdminToken(CoreWrapper.java:160)
    at org.forgerock.openam.rest.RealmContextFilter.evaluate(RealmContextFilter.java:232)
    at org.forgerock.openam.rest.RealmContextFilter.evaluate(RealmContextFilter.java:211)
    at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:86)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205)
    at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255)
    at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:170)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152)
    at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485)
    at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
    at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:555)
    at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:477)
    at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:468)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:147)
    at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.openam.http.GuiceHandler.handle(GuiceHandler.java:59)
    at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:214)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:69)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:122)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:70)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:254)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:86)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1790)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:750)

Authentication:

amAuthContext:12/21/2023 01:30:14:039 PM SGT: Thread[http-nio-9090-exec-7,5,main]: TransactionId[1394baa8-5d26-4e49-b92e-201d481f7899-274]
ERROR: Failed to login to http://am.wisx.io:9090/wisxam/authservice
amAuthContext:12/21/2023 01:30:14:041 PM SGT: Thread[http-nio-9090-exec-7,5,main]: TransactionId[1394baa8-5d26-4e49-b92e-201d481f7899-274]
ERROR: Authentication failed.
amAuth:12/21/2023 01:30:14:047 PM SGT: Thread[http-nio-9090-exec-7,5,main]: TransactionId[1394baa8-5d26-4e49-b92e-201d481f7899-274]
ERROR: Error in populateOrgProfile
Message:Invalid SSO Token: Invalid SSO Token

    at com.sun.identity.sm.OrganizationConfigManager.getServiceConfig(OrganizationConfigManager.java:1188)
    at com.sun.identity.authentication.service.LoginState.populateOrgProfile(LoginState.java:674)
    at com.sun.identity.authentication.service.LoginState.createAuthContext(LoginState.java:4089)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:1006)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:878)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:858)
    at com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:825)
    at com.sun.identity.authentication.AuthContext.runLogin(AuthContext.java:717)
    at com.sun.identity.authentication.AuthContext.login(AuthContext.java:638)
    at com.sun.identity.authentication.AuthContext.login(AuthContext.java:584)
    at com.sun.identity.authentication.AuthContext.login(AuthContext.java:418)
    at com.sun.identity.security.SystemAppTokenProvider.getAppSSOToken(SystemAppTokenProvider.java:80)
    at com.sun.identity.security.AdminTokenAction.getSSOToken(AdminTokenAction.java:316)
    at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:229)
    at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:77)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.forgerock.openam.core.CoreWrapper.getAdminToken(CoreWrapper.java:160)
    at org.forgerock.openam.rest.RealmContextFilter.evaluate(RealmContextFilter.java:232)
    at org.forgerock.openam.rest.RealmContextFilter.evaluate(RealmContextFilter.java:211)
    at org.forgerock.openam.rest.RealmContextFilter.filter(RealmContextFilter.java:86)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.routing.ResourceApiVersionRoutingFilter.filter(ResourceApiVersionRoutingFilter.java:64)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.grantAccess(AuthenticationFramework.java:220)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$400(AuthenticationFramework.java:65)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:212)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$3.apply(AuthenticationFramework.java:205)
    at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:255)
    at org.forgerock.util.promise.Promises$CompletedPromise.thenAsync(Promises.java:244)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.validateRequest(AuthenticationFramework.java:170)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.access$100(AuthenticationFramework.java:65)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:155)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework$1.apply(AuthenticationFramework.java:152)
    at org.forgerock.util.promise.PromiseImpl$7.handleStateChange(PromiseImpl.java:485)
    at org.forgerock.util.promise.PromiseImpl.handleCompletion(PromiseImpl.java:567)
    at org.forgerock.util.promise.PromiseImpl.addOrFireListener(PromiseImpl.java:555)
    at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:477)
    at org.forgerock.util.promise.PromiseImpl.thenAsync(PromiseImpl.java:468)
    at org.forgerock.caf.authentication.framework.AuthenticationFramework.processMessage(AuthenticationFramework.java:147)
    at org.forgerock.caf.authentication.framework.AuthenticationFilter.filter(AuthenticationFilter.java:96)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.openam.http.GuiceHandler.handle(GuiceHandler.java:59)
    at org.forgerock.openam.http.HttpRoute$6.handle(HttpRoute.java:214)
    at org.forgerock.http.routing.Router.handle(Router.java:100)
    at org.forgerock.http.swagger.OpenApiRequestFilter.filter(OpenApiRequestFilter.java:69)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.openam.http.ApiDescriptorFilter.filter(ApiDescriptorFilter.java:122)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.openam.http.OpenAMHttpApplication$1.filter(OpenAMHttpApplication.java:70)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.http.filter.TransactionIdInboundFilter.filter(TransactionIdInboundFilter.java:60)
    at org.forgerock.http.handler.Handlers$1.handle(Handlers.java:61)
    at org.forgerock.http.servlet.HttpFrameworkServlet.service(HttpFrameworkServlet.java:254)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:86)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1790)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:750)

Desktop (please complete the following information):

Additional context In AdminTokenAction.getSSOToken, we have a loop that looks like this:

                    // Copy the authentication state
                    final boolean authInit = authInitialized;
                    while (ssoAuthToken==null) {
                        try {
                             if (authInit) 
                                 authInitialized = false;
                             // Obtain SSOToken using AuthN service
                            ssoAuthToken = new SystemAppTokenProvider(adminDN, adminPassword).getAppSSOToken();
                        } catch (NoClassDefFoundError ne) {
                            throw ne;
                        } catch (Throwable e) {
                            debug.error("AdminTokenAction::getSSOToken Exception reading from serverconfig.xml", e);
                            if (!authInit)
                                break;
                        }finally {
                            // Restore the authentication state
                            if (authInit && ssoAuthToken != null) {
                                authInitialized = true;
                                internalAppSSOToken = null;
                            }
                        }
                    }

If the token somehow cannot be returned, this loop cannot ever exit. This loop was introduced in commit d1c33f8, with no comment about why it was added. What was wrong with the original logic of just letting the failed login, fail?

It may be possible that there's another problem related to why the token could not be returned at that very specific moment, but I have no information about that anymore.

vharseko commented 7 months ago

Please check https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/14.8.3