The authentication system does not actually have a login screen per se.
What you see as a login screen is the result of the web application
processing the response from that ".../api/tokens" endpoint. There's no
redirect, but rather information about additional authentication
challenges that must be satisfied before the user may log in.
I suspect the issue here is similar to what we encountered with
combining TOTP with SAML or with the new version of Duo's SDK, where the
nature of the third-party redirect means that some of that
authentication context was lost. Lacking that context, the UI just
doesn't know how to render the error.
I think the part of the UI that handles these authentication responses
just needs to be modified to be able to render the reported error even
when the information describing the required credentials is no longer
available, maybe in a similar fashion to the "re-login" message
displayed after logout.
- Mike
On 6/27/24 7:20 PM, Fang, Wen Yan wrote:
02:19:39.721 [http-nio-8080-exec-8] DEBUG o.a.g.rest.RESTExceptionMapper
- Client request rejected: User account is no longer valid.
02:19:46.428 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap
- Checking for expired sessions...
02:19:46.428 [pool-1-thread-1] DEBUG o.a.g.rest.auth.HashTokenSessionMap
- Session check completed in 0 ms.
It does reject the attempt, but it does not redirect user back to login
screen or display any visible error message.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
