pavelhoral
commented
1 year ago I understand the change that introduced this issue - if the account is in multiple datastores it has to be active in all of them. So we might want to implement such feature, however the revert is correct thing to do for now.
Wren:AM supports the configuration of multiple data stores with different sets of accounts. But when you configure it, every authentication request ends with a "Your account has been locked" error. The current implementation of the check if account is a active requires the account to be active in every configured data store (IdServicesImpl.java#L1155). However, if the account is missing, it is assumed to be inactive (DatabaseRepo.java#L1583).
Process of checking account status was changed in https://github.com/WrenSecurity/wrenam/commit/65486bc1ab0d1e04e42b7e9bdc7c4e2b0d58d31d. Prior to this change, one active account was sufficient for successful authentication.
I think a missing account in the data store should not be considered as an inactive account. Only if an inactive account is found in the data store should the process return "inactive account" response.