Environment
NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Situation
When logging into the IDP server with credentials that fail to be validated for different reasons, the errors reported back give a clear indication as to the problem eg.
1. Wrong password -> Login failed, please try again.
2. Intruder Lockout -> Your Login Has been disabled due to intruder detection
3. Disable Login -> Your login has been disabled.
2. Intruder Lockout -> Your Login Has been disabled due to intruder detection
3. Disable Login -> Your login has been disabled.
When using OAuth resource owner flow to do the same test, the messages returned are all the same eg. Login Failure due to wrong password, or intruder lockout gives the same error string.
opensuse:~ # curl -k -X POST -d 'grant_type=password&client_id=5536c1b5-722a-496c-82bb-daaa621055b9&client_secret=SmWRWGSOheBMyaLAQ1PfqblCyDwf4-7cYYmLUTqlPYxj_86rB8ds_Mz86TR1q5Uj1D-5OuzZq9FA2XcsW1K6pg&username=alex&password=novell' https://idp.lab.novell.com:8443/nidp/oauth/nam/token
{
"error":"invalid_grant",
"error_description":"invalid_grant: user credentails are not valid"
}
{
"error":"invalid_grant",
"error_description":"invalid_grant: user credentails are not valid"
}
opensuse:~ #
Resolution
Apply 4.3.1.
Tested on upgrade setup from 4.3 to 4.3.1
curl -v -k -X POST -d 'grant_type=password&client_id=0ad1dc18-8720-4f49-a809-3809c6616654&client_secret=lgTumlFbsZ3TC-v3yVACdlAiWFyUQtvYj2UUHLLtGbtCIXouGYYRBlv0mVGWixZ1Blko3_SYzZBA4lJ6Wt5rQ&username=user91&password=novell' https://rhel7-acidp.netiq.com:8443/nidp/oauth/nam/token
{
"error":"invalid_grant",
"error_description":"invalid_grant: Your login has been disabled."
* Closing connection 0
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Client hello (1):
}
for incorrect login/user doesn't exist
{
"error":"invalid_grant",
"error_description":"invalid_grant: Login failed, please try again."
* Closing connection 0
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Client hello (1):
}
Intruder detection
{
"error":"invalid_grant",
"error_description":"invalid_grant: Your login has been disabled due to intruder detection."
* Closing connection 0
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Client hello (1):
}
{
"error":"invalid_grant",
"error_description":"invalid_grant: Your login has been disabled due to intruder detection."
* Closing connection 0
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Client hello (1):
}