leonardorobertolopez
commented
6 months ago Hi Team: I added the step 2.b and improve the step nr 6 with an additional example and further explanation. Kindly let me know if additional details are needed. Thank you Best Regards
Describe the issue: When attempting to use the password grant type, we have identified that the error message is not being cleared consistently when an error occurred during the flow. Here's a detailed explanation: We are using a OIDC Service Provider and executing the following curl command multiple times to test the password grant type: curl -u: -k -d "grant_type=password&username=&password=&scope=openid" -H "Content-Type:application/x-www-form-urlencoded" https://:/oauth2/token
In a log through a log patch, we first observe the clearing of the error message: [2023-12-18 21:04:49,037] INFO {org.wso2.carbon.identity.core.util.IdentityUtil} - Clearing error message java.lang.Throwable
Followed by setting a new error message: [2023-12-18 21:31:25,158] INFO {org.wso2.carbon.identity.core.util.IdentityUtil} - Setting error message with code 17003 to context java.lang.Throwable
However, the error message is not cleared subsequently.
How to reproduce:
2.b. Enable the account lock functionality at Resident idp level. For doing that please go to -Management Console > Identity Providers > Resident > Login Policies > Account Locking > and tick the flag:
"Account Lock Enabled"An example of this command is: curl --location 'https://localhost:9443/oauth2/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Authorization: Basic base64 cod:' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=' \
--data-urlencode 'password=' \
--data-urlencode 'scope=openid'
You can import it directly in Postman.
Note: Run this command 10 times to impact all threads in the system. When we say "impact," we refer to the scenario where if clearMessage() runs first followed by setMessage(), and clearMessage() is not executed again, the last error message set in setMessage() remains making that all the threads of the system don’t clear the error message properly. When we say "the last error message set in setMessage()" I refer to the below image that is obtained when login in again in another service provider. That is the evidence that in the thread the last error message hasn't been cleared properly .
Note: The above command should be executed with the credentials of the user created in step 5, generating the corresponding password lock error.
In summary, the purpose of this test is to demonstrate that the password grant type does not appropriately implement the clearMessage() function after the setMessage(). This could be reproduced for example when attempting to invoke the token endpoint using a blocked user. The absence of a subsequent clear after set means each thread does not clear the errors obtained from invoking the token endpoint. Consequently, when the same thread is reused in a different flow, such as a login flow with a multi-step option as explained in point nr 7 , an error is observed. This error does not pertain to the current flow but is instead a residual message stored in each thread from the previous operation. Thank you
Expected behavior: The error showed in the screen shouldnt take place because is not related with that flow.
Environment information