Inconconsistent login errors reported when credential validation fails with local IDP logins ad OAuth based IDP logins

  • 7018631
  • 17-Feb-2017
  • 23-Feb-2017

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1

Situation

When logging into the IDP server with credentials that fail to be validated for different reasons, the errors reported back give a clear indication as to the problem eg.
 
1. Wrong password -> Login failed, please try again.
2. Intruder Lockout -> Your Login Has been disabled due to intruder detection
3. Disable Login -> Your login has been disabled.
 
When using OAuth resource owner flow to do the same test, the messages returned are all the same eg. Login Failure due to wrong password, or intruder lockout gives the same error string.
 
opensuse:~ # curl -k -X POST -d 'grant_type=password&client_id=5536c1b5-722a-496c-82bb-daaa621055b9&client_secret=SmWRWGSOheBMyaLAQ1PfqblCyDwf4-7cYYmLUTqlPYxj_86rB8ds_Mz86TR1q5Uj1D-5OuzZq9FA2XcsW1K6pg&username=alex&password=novell' https://idp.lab.novell.com:8443/nidp/oauth/nam/token
{
        "error":"invalid_grant",
        "error_description":"invalid_grant: user credentails are not valid"
}
opensuse:~ #

Resolution

Apply 4.3.1.
 
 
Tested on upgrade setup from 4.3 to 4.3.1
curl -v -k -X POST -d 'grant_type=password&client_id=0ad1dc18-8720-4f49-a809-3809c6616654&client_secret=lgTumlFbsZ3TC-v3yVACdlAiWFyUQtvYj2UUHLLtGbtCIXouGYYRBlv0mVGWixZ1Blko3_SYzZBA4lJ6Wt5rQ&username=user91&password=novell' https://rhel7-acidp.netiq.com:8443/nidp/oauth/nam/token

{
        "error":"invalid_grant",
        "error_description":"invalid_grant: Your login has been disabled."
* Closing connection 0
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Client hello (1):
}

for incorrect login/user doesn't exist
{
        "error":"invalid_grant",
        "error_description":"invalid_grant: Login failed, please try again."
* Closing connection 0
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Client hello (1):
}
Intruder detection
{
        "error":"invalid_grant",
        "error_description":"invalid_grant: Your login has been disabled due to intruder detection."
* Closing connection 0
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Client hello (1):
}

Feedback service temporarily unavailable. For content questions or problems, please contact Support.