authenticate Incorrect number of callback found in JSON response

This topic contains 15 replies, has 3 voices, and was last updated by  Peter Major 2 years, 7 months ago.

  • Author
    Posts
  • #14834
     Frotonis 
    Participant

    hi,

    when i am at login page and using REST. I see unexpected behaviour.

    Filled bad password for user. Rest returned “User name/password combination is invalid.”
    after when i fill correct or incorrect password i will get 400 bad request with message: “Incorrect number of callback found in JSON response”.

    Can somebody help me with this issue?

    thx for reply

    #14860
     Peter Major 
    Moderator

    Could be caused by things like OPENAM-8336 are you always calling the same OpenAM instance?

    #15429
     Frotonis 
    Participant

    Hi Peter,

    i am not behind LB. I am just using only one instance of OpenAM to authentication. So i have still problem with this.

    But your link was usefull for me cause on production environment i am using LB.

    #15430
     Frotonis 
    Participant

    One another question is there a posibility to see changelog for this bug? OPENAM-8433

    • This reply was modified 2 years, 8 months ago by  Frotonis.
    #15432
     Peter Major 
    Moderator

    Are you using ForceAuth?

    #15433
     Frotonis 
    Participant

    No i am not. Just authenticating againts realm with custom module.

    #15434
     Peter Major 
    Moderator

    Are you not retaining the authId in subsequent REST calls then?

    #15438
     Frotonis 
    Participant

    Sorry, but i am not sure if i understand your question.

    My first request is /json/realmname/authenticate which returns authId.

    When submitted my form with given callbacks returned from first request (with bad credentials) i have got
    {“code”:500,”reason”:”Internal Server Error”,”message”:”Authentication Error!!”} with message invalid username/password. authId is same as i received from first request.

    when submited this form again (again with bad credentials or with good credentials) i have got incorrect number of callback found in JSON response (again i sent same authId).

    #15440
     Peter Major 
    Moderator

    I think at this stage the easiest way to tell if this is a user error or something else if you post your curl requests along with the responses up to and including the error message.

    #15444
     Rogerio Rondini 
    Participant

    Hi,

    I think in the 3rd call the authid is already invalid. If you get invalid password on the 2nd call probably you will need to start the authentication process from the first step to get a new authId.

    #15455
     Frotonis 
    Participant

    Hi,

    so first request when OpenAM checked if there is no id in session.

    POST /openam/json/mail/authenticate? HTTP/1.1
    Host: domain.st.sk
    Connection: keep-alive
    Content-Length: 0
    Accept-API-Version: protocol=1.0,resource=2.0
    Origin: https://domain.st.sk
    X-Password: anonymous
    X-Username: anonymous
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    Content-Type: application/json
    Accept: application/json, text/javascript, */*; q=0.01
    Cache-Control: no-cache
    X-Requested-With: XMLHttpRequest
    X-NoSession: true
    Referer: https://domain.st.sk/openam/XUI/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: sk,cs;q=0.8,en-US;q=0.6,en;q=0.4,nb;q=0.2
    Cookie: amlbcookie=01; i18next=sk
    
    curl 'https://domain.st.sk/openam/json/mail/authenticate?' -X POST -H 'Accept-API-Version: protocol=1.0,resource=2.0' -H 'Cookie: amlbcookie=01; i18next=sk' -H 'Origin: https://domain.st.sk' -H 'Accept-Encoding: gzip, deflate, br' -H 'X-Password: anonymous' -H 'Accept-Language: sk,cs;q=0.8,en-US;q=0.6,en;q=0.4,nb;q=0.2' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' -H 'Content-Length: 0' -H 'X-Username: anonymous' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36' -H 'Content-Type: application/json' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Cache-Control: no-cache' -H 'Referer: https://domain.st.sk/openam/XUI/' -H 'X-NoSession: true' --compressed ;
    
    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    Set-Cookie: amlbcookie=01; Domain=.st.sk; Path=/
    Cache-Control: no-cache, no-store, must-revalidate
    Content-API-Version: resource=2.0
    Expires: 0
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
    Content-Length: 702
    Date: Fri, 20 Jan 2017 07:16:50 GMT
    {"authId":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogInJrYWg3ZXUzcXE0MWY3dGk5bWFyOW5kOGQ3IiwgInJlYWxtIjogIm89bWFpbCxvdT1zZXJ2aWNlcyxkYz1vcGVuYW0sZGM9c3QsZGM9c2siLCAic2Vzc2lvbklkIjogIkFRSUM1d00yTFk0U2ZjeE52THlqaXM4eER3QjFaRmtTeGVXLU5LVHphS21EZjdrLipBQUpUU1FBQ01ERUFBbE5MQUJNMU9EQTVNVEkxTXpJNE5UQTROekUxTVRFeEFBSlRNUUFBKiIgfQ.Ao9Xr7pPb51vF5i29vnRQ_rm9pPU3GlXtR_MKUQ5HsA","template":"","stage":"PanIPLoginModule3","header":"Prihlásenie","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"Prihlasovacie meno:"}],"input":[{"name":"IDToken1","value":""}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Heslo:"}],"input":[{"name":"IDToken2","value":""}]}]}

    second one is my first submitted data where my Module throws AuthLoginException because of bad password

    POST /openam/json/mail/authenticate HTTP/1.1
    Host: domain.st.sk
    Connection: keep-alive
    Content-Length: 717
    Accept-API-Version: protocol=1.0,resource=2.0
    Origin: https://domain.st.sk
    X-Password: anonymous
    X-Username: anonymous
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    Content-Type: application/json
    Accept: application/json, text/javascript, */*; q=0.01
    Cache-Control: no-cache
    X-Requested-With: XMLHttpRequest
    X-NoSession: true
    Referer: https://domain.st.sk/openam/XUI/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: sk,cs;q=0.8,en-US;q=0.6,en;q=0.4,nb;q=0.2
    Cookie: i18next=sk; amlbcookie=01
    
    curl 'https://domain.st.sk/openam/json/mail/authenticate' -H 'Accept-API-Version: protocol=1.0,resource=2.0' -H 'Cookie: i18next=sk; amlbcookie=01' -H 'Origin: https://domain.st.sk' -H 'Accept-Encoding: gzip, deflate, br' -H 'X-Password: anonymous' -H 'Accept-Language: sk,cs;q=0.8,en-US;q=0.6,en;q=0.4,nb;q=0.2' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' -H 'X-Username: anonymous' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36' -H 'Content-Type: application/json' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Cache-Control: no-cache' -H 'Referer: https://domain.st.sk/openam/XUI/' -H 'X-NoSession: true' --data-binary $'{"authId":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogInJrYWg3ZXUzcXE0MWY3dGk5bWFyOW5kOGQ3IiwgInJlYWxtIjogIm89bWFpbCxvdT1zZXJ2aWNlcyxkYz1vcGVuYW0sZGM9c3QsZGM9c2siLCAic2Vzc2lvbklkIjogIkFRSUM1d00yTFk0U2ZjeE52THlqaXM4eER3QjFaRmtTeGVXLU5LVHphS21EZjdrLipBQUpUU1FBQ01ERUFBbE5MQUJNMU9EQTVNVEkxTXpJNE5UQTROekUxTVRFeEFBSlRNUUFBKiIgfQ.Ao9Xr7pPb51vF5i29vnRQ_rm9pPU3GlXtR_MKUQ5HsA","template":"","stage":"PanIPLoginModule3","header":"Prihl\xe1senie","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"Prihlasovacie meno:"}],"input":[{"name":"IDToken1","value":"mongol"}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Heslo:"}],"input":[{"name":"IDToken2","value":"heslo123a"}]}]}' --compressed ;
    
    HTTP/1.1 500 Internal Server Error
    Server: Apache-Coyote/1.1
    Content-API-Version: resource=2.0
    Content-Type: application/json;charset=UTF-8
    Content-Length: 80
    Date: Fri, 20 Jan 2017 07:18:23 GMT
    Connection: close
    {"code":500,"reason":"Internal Server Error","message":"Authentication Error!!"}

    After this submit i tried it again, so i hoped it will again fail on same problem. Also if i send in this request the correct password it fails on the same issue.

    POST /openam/json/mail/authenticate HTTP/1.1
    Host: domain.st.sk
    Connection: keep-alive
    Content-Length: 717
    Accept-API-Version: protocol=1.0,resource=2.0
    Origin: https://domain.st.sk
    X-Password: anonymous
    X-Username: anonymous
    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    Content-Type: application/json
    Accept: application/json, text/javascript, */*; q=0.01
    Cache-Control: no-cache
    X-Requested-With: XMLHttpRequest
    X-NoSession: true
    Referer: https://domain.st.sk/openam/XUI/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: sk,cs;q=0.8,en-US;q=0.6,en;q=0.4,nb;q=0.2
    Cookie: i18next=sk; amlbcookie=01
    
    curl 'https://domain.st.sk/openam/json/mail/authenticate' -H 'Accept-API-Version: protocol=1.0,resource=2.0' -H 'Cookie: i18next=sk; amlbcookie=01' -H 'Origin: https://domain.st.sk' -H 'Accept-Encoding: gzip, deflate, br' -H 'X-Password: anonymous' -H 'Accept-Language: sk,cs;q=0.8,en-US;q=0.6,en;q=0.4,nb;q=0.2' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' -H 'X-Username: anonymous' -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36' -H 'Content-Type: application/json' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Cache-Control: no-cache' -H 'Referer: https://domain.st.sk/openam/XUI/' -H 'X-NoSession: true' --data-binary $'{"authId":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAib3RrIjogInJrYWg3ZXUzcXE0MWY3dGk5bWFyOW5kOGQ3IiwgInJlYWxtIjogIm89bWFpbCxvdT1zZXJ2aWNlcyxkYz1vcGVuYW0sZGM9c3QsZGM9c2siLCAic2Vzc2lvbklkIjogIkFRSUM1d00yTFk0U2ZjeE52THlqaXM4eER3QjFaRmtTeGVXLU5LVHphS21EZjdrLipBQUpUU1FBQ01ERUFBbE5MQUJNMU9EQTVNVEkxTXpJNE5UQTROekUxTVRFeEFBSlRNUUFBKiIgfQ.Ao9Xr7pPb51vF5i29vnRQ_rm9pPU3GlXtR_MKUQ5HsA","template":"","stage":"PanIPLoginModule3","header":"Prihl\xe1senie","callbacks":[{"type":"NameCallback","output":[{"name":"prompt","value":"Prihlasovacie meno:"}],"input":[{"name":"IDToken1","value":"mongol"}]},{"type":"PasswordCallback","output":[{"name":"prompt","value":"Heslo:"}],"input":[{"name":"IDToken2","value":"heslo123a"}]}]}' --compressed
    
    HTTP/1.1 400 Bad Request
    Server: Apache-Coyote/1.1
    Set-Cookie: amlbcookie=01; Domain=.st.sk; Path=/
    Content-API-Version: resource=2.0
    Content-Type: application/json;charset=UTF-8
    Content-Length: 100
    Date: Fri, 20 Jan 2017 07:18:39 GMT
    Connection: close
    {"code":400,"reason":"Bad Request","message":"Incorrect number of callbacks found in JSON response"}
    #15473
     Peter Major 
    Moderator

    From what I can tell your second request to json/authenticate fails (most likely the custom authentication module decides that the authentication was unsuccessful). Once the authentication failed, you shouldn’t use the same authId for subsequent/new requests.

    #15474
     Frotonis 
    Participant

    Okay,

    yes you are right my custom authentication module throws InvalidPasswordException which i hoped should change authId, but didnt do that.

    So my question is. What is your suggestion to solve this case? Should i instead of throw this exception set status to some error state and it start authentication again? Or is there some possibility to set intitiate call for new authId when authentication failed?

    The second solution would be better because when i am in third state (in case of change initial password) and failed on bad password format it will start new authentication process which is not user friendly at all.

    thanks for answer.

    #15475
     Peter Major 
    Moderator

    It really depends on what you are trying to do. If the authentication error was a recoverable problem, then probably should just return a new state in your authentication module, so that the authentication flow doesn’t get interrupted. If it’s not a recoverable error, then throw an AuthLoginException (server error), or InvalidPasswordException (invalid credentials) and make sure that the client starts from scratch when it receives an HTTP 500 from the server.

    #15476
     Frotonis 
    Participant

    I ve got it.

    But when i am using pure XUI login pages? Why client didnt resolve 500 as intiator of new authentication? I thought it should start new authentication process when this kind of error occurs.

    When using XUI how could i send info that password is not too strong or something else but continue in current state?

    thanks.

Viewing 15 posts - 1 through 15 (of 16 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?