Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unique attributes not validated prior to submitting sign up form for JIT provisioning #22221

Open
AmshikaH opened this issue Jan 9, 2025 · 0 comments
Open

Unique attributes not validated prior to submitting sign up form for JIT provisioning #22221

AmshikaH opened this issue Jan 9, 2025 · 0 comments
Labels
Affected/7.1.0-m6 Issues that get reported against IS7.1.0 M6 pack will get this label Severity/Critical Team/User & identity adminstration Type/Bug

Comments

@AmshikaH
Copy link
Contributor

AmshikaH commented Jan 9, 2025
edited
Loading

Description

The following issues have been identified.

  • Unlike the non-provisioning flow, unique attributes are not validated prior to form submission in the JIT provisioning flow.
  • JIT provisioning fails, but the user is not informed that registration failed.

This is described in further detail below.

When unique attributes (other than the username) have been configured as described in [1], if a user attempts the self-registration with a duplicate attribute, the form does not allow the sign up form to be submitted and shows the following error message in the normal sign-up flow where JIT provisioning is not enabled.

Screenshot 2025-01-09 at 09 55 17

However, when JIT provisioning has been enabled to get the user input (for example, prompt user for password and consent), duplicate attributes are not validated prior to the form submission.

As a result, the user is not informed that the attribute is already in use by a different user as in the above flow and the form gets submitted with the user being auto-logged in. Upon login, while the user gets the following UI errors.

Screenshot 2025-01-09 at 10 48 45

The above error is due to the fact that provisioning was unsuccessful and the user does not exist, however, these error messages do not indicate to the user that the self-registration itself was unsuccessful nor do they indicate the reason for the failure, i.e., the use of duplicate values.

The reason for the failure is only seen in the console logs:

[2025-01-09 09:47:33,558] [fa15caec-2051-47da-bc32-a5cac80ddf28] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - User provisioning failed! org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Error while provisioning user : [email protected]
	at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handleWithV2Roles(DefaultProvisioningHandler.java:206)
	at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handleJitProvisioningWithV2Roles(DefaultStepBasedSequenceHandler.java:572)
	at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.callJitProvisioningWithV2Roles(DefaultStepBasedSequenceHandler.java:512)
	at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.JITProvisioningPostAuthenticationHandler.callDefaultProvisioningHandler(JITProvisioningPostAuthenticationHandler.java:973)
	at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.JITProvisioningPostAuthenticationHandler.handleResponseFlow(JITProvisioningPostAuthenticationHandler.java:215)
	at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.JITProvisioningPostAuthenticationHandler.handle(JITProvisioningPostAuthenticationHandler.java:165)
	at org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService.executePostAuthnHandler(PostAuthenticationMgtService.java:117)
	at org.wso2.carbon.identity.application.authentication.framework.services.PostAuthenticationMgtService.handlePostAuthentication(PostAuthenticationMgtService.java:83)
	at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handlePostAuthentication(DefaultAuthenticationRequestHandler.java:260)
	at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:218)
	at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:382)
	at org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doPost(CommonAuthenticationHandler.java:57)
	at org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doGet(CommonAuthenticationHandler.java:46)
	at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:54)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:555)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
	at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
	at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
	at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:72)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
	at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:129)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
	at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119)
	at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:123)
	at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38)
	at org.wso2.carbon.identity.cors.valve.CORSValve.invoke(CORSValve.java:83)
	at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:211)
	at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:122)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:110)
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:71)
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152)
	at org.wso2.carbon.extension.identity.x509Certificate.valve.X509CertificateAuthenticationValve.invoke(X509CertificateAuthenticationValve.java:59)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63)
	at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
	at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.wso2.carbon.user.core.UserStoreClientException: The value defined for Email is already in use by different user!
	at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:261)
	at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4991)
	at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:4977)
	at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handleUserProvisioning(DefaultProvisioningHandler.java:332)
	at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handleWithV2Roles(DefaultProvisioningHandler.java:202)
	... 66 more
Caused by: java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:247)
	... 70 more
Caused by: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.wso2.carbon.user.core.common.AbstractUserStoreManager$2.run(AbstractUserStoreManager.java:250)
	... 72 more
Caused by: org.wso2.carbon.user.core.UserStoreClientException: The value defined for Email is already in use by different user!
	at org.wso2.carbon.identity.unique.claim.mgt.listener.UniqueClaimUserOperationEventListener.checkClaimUniqueness(UniqueClaimUserOperationEventListener.java:174)
	at org.wso2.carbon.identity.unique.claim.mgt.listener.UniqueClaimUserOperationEventListener.doPreAddUser(UniqueClaimUserOperationEventListener.java:92)
	at org.wso2.carbon.user.core.common.AbstractUserStoreManager.addUser(AbstractUserStoreManager.java:5142)
	... 77 more
Caused by: org.wso2.carbon.identity.mgt.policy.PolicyViolationException: The value defined for Email is already in use by different user!
	... 80 more

Expected Behaviour

The expected behaviour would be as follows.

  • The form should not be allowed to be submitted when duplicate attributes have been identified as with the non-provisioning flow.
  • In case the form gets submitted and the JIT provisioning is unsuccessful for whatever reason, the user should be informed that the provisioning/registration was unsuccessful.

[1] https://is.docs.wso2.com/en/latest/guides/users/attributes/configure-unique-attributes/

Steps to Reproduce

Screen.Recording.2025-01-09.at.09.47.08.mov

Version

7.0.0

Environment Details (with versions)

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Affected/7.1.0-m6 Issues that get reported against IS7.1.0 M6 pack will get this label Severity/Critical Team/User & identity adminstration Type/Bug
Projects
Identity Server 7.1.0
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aaujayasena @AmshikaH