search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
746 stars 724 forks source link

failed login attempt not count, login with bad password return error code 17001 even username exists #16507

Closed yosieu closed 10 months ago

yosieu commented 1 year ago

Describe the issue: After migration from 5.11 to 6.1 i have troubles with Failed login Attempts and Account locking.
User can normaly login, but when user put bad bassword, returned error code was 17001 on v6.1, on v5.1 was 17002 and parameter remainingAttempts was presented in redirection url. Allso login with existiing user and bad password not update Failed Login Attempts claim.

configuration in deployment.toml:

[event.default_listener.identity_mgt] priority= "50" enable = false [event.default_listener.governance_identity_mgt] priority= "95" enable = true

[authentication.authenticator.basic.parameters] showAuthFailureReason = true showAuthFailureReasonOnLoginPage = true

[identity_mgt.account_locking] allowed_failed_attempts=5 auto_unlock_time_increment_ratio=2 auto_unlock_after=15 enable_account_locking=true

How to reproduce: IDN

Expected behavior: Same as described in documentation. User will be lock when n-times put bad password. Error code returned in bad login try will be 17002 and will be present parameter remainingAttempts.

Environment information (Please complete the following information; remove any unnecessary fields) :

Thanks for help

DMHP commented 1 year ago

Hi @yosieu I have tried out the flow in the 6.1 pack and in the latest Identity server snapshot. I received the following URL when a bad password is used.

https://localhost:9443/authenticationendpoint/login.do?client_id=MY_ACCOUNT&code_challenge=zH3kmRnWWo2hw5PUwGX42LFyxHwOugHB_FeKaAucyUc&code_challenge_method=S256&commonAuthCallerPath=%2Foauth2%2Fauthorize&forceAuth=false&passiveAuth=false&redirect_uri=https%3A%2F%2Flocalhost%3A9443%2Fmyaccount&response_mode=form_post&response_type=code&scope=openid+openid+SYSTEM&state=request_0&tenantDomain=carbon.super&sessionDataKey=6ef6bcc9-322f-4d82-8453-7ec71c446518&relyingParty=MY_ACCOUNT&type=oidc&sp=My+Account&isSaaSApp=true&authenticators=BasicAuthenticator%3ALOCAL&authFailure=true&authFailureMsg=login.fail.message&failedUsername=navija&errorCode=17002&remainingAttempts=4

So the expected error code has been received as 17002.

The error code '17001' has not been recorded in the source code as well.[1] Please let us know if you faced any issues in the migration process.

[1] https://github.com/wso2-extensions/identity-governance/blob/master/components/org.wso2.carbon.identity.recovery/src/main/java/org/wso2/carbon/identity/recovery/IdentityRecoveryConstants.java#L212

DMHP commented 10 months ago

Closing the issue as this can nit be reproduced. Please re-open if you have any other concerns.