OERealm thrown errors

Posted by Blake Stanford on 17-Mar-2020 17:24

Is it possible to throw an AppError in the OERealm class and have it be part of the request response?  

 11.7.5 Windows 10

OpenEdge Development - Forum

All Replies

Posted by Michael Jacobs on 17-Mar-2020 19:59

OERealm.UserDetails.appendRealmError=true

When the OERealm ABL class has returned a ABL runtime error, that error's message will in included in the error description returned to the client.

    Username load error (<error-message>)

Username load error is a generic error.  It is used when the OERealm ABL class fails to return all of the user account's data to complete the authentication process.

Posted by Blake Stanford on 17-Mar-2020 20:40

That's not what i'm seeing or I'm not understanding or maybe once again it's my testing tool.

Case:  In the OERealm:ValidatePassword method I would like to be able to check if the users password has expired.  I've tried throwing an apperror in the validatePassword method and also tried throwing an error from the postAuthenticate method if lRetVal is from validatePassword is false.  

The error text in the thrown apperror is "Mary had a little lamb".

From PostMan, no matter where the error is thrown, I get the following returned:

{

   "error": "sso.token.unauthorized_client",

   "error_description": "Internal token error"

}javascript:void(0);

From an HTTP login page I get:

HTTP Status 401 – Unauthorized

Type Status Report

Message Authentication Failed: Bad credentials (RealmErrorAppended)

Description The request has not been applied because it lacks valid authentication credentials for the target resource.

Apache Tomcat/8.5.40

Posted by Irfan on 17-Mar-2020 22:41

In a plain OERealm configuration, if you have configured OERealm.UserDetails.appendRealmError=true and throwing an error like this in your class

THROW NEW Progress.Lang.AppError("User is expired ", 2).

then you should get something like this

Username load error ( _errorMsg = ERROR condition: User is expired  (7211) ; _errorNum = 2 )

I believe you are doing HTTP SSO. I will check what you are getting when do you the same with HTTP SSO.

Posted by Blake Stanford on 18-Mar-2020 11:16

Yes Irfan, I'm using SSO and I do have the OERealm.UserDetails.appendRealmError=true in my configuration.

Posted by Michael Jacobs on 18-Mar-2020 11:29

Are you seeing what Irfan has described, or something different?

Posted by Blake Stanford on 18-Mar-2020 11:39

I get this from Postman:

From PostMan, no matter where the error is thrown, I get the following returned:

{

  "error": "sso.token.unauthorized_client",

  "error_description": "Internal token error"

}

And this from the standard OE login page:

HTTP Status 401 – Unauthorized

Type Status Report

Message Authentication Failed: Bad credentials (RealmErrorAppended)

Description The request has not been applied because it lacks valid authentication credentials for the target resource.

Apache Tomcat/8.5.40

Posted by Irfan on 18-Mar-2020 11:48

In your SSO configuration, what is the value of SSO.errordetail ? Can you set it to 2 and see what you get

OESSO.error.detail: A positive integer value { 0|1|2 }

Specifies the amount of error information returned in an error response message's

JSON payload.  The valid values are:

   0   no information useful to hackers

   1   minimal information useful to hackers

   2   debug level information very useful to hackers

[0]

Posted by Irfan on 18-Mar-2020 12:06

I have confirmed the behavior. For the following properties, you will the get the error details you need. You have to choose wisely what kind of error-details you want to send back to the client.

For SSO.errordetail=0

{"error":"sso.token.unauthorized_client","error_description":"Internal token error"}

For SSO.errordetail=1

{"error":"sso.token.unauthorized_client","error_description":"Username load error "}

For SSO.errordetail=2

{"error":"sso.token.unauthorized_client","error_description":"Username load error ","error_detail":"ERROR condition: User not found (7211)"}

Posted by Blake Stanford on 18-Mar-2020 12:46

My configuration the sso.errordetail is set to 0.  

Understood on the "choose wisely".  Thanks!

Posted by Blake Stanford on 18-Mar-2020 13:10

FYI.....One of the messages we are considering sending back is "Password attempts have been exceeded".  Is there a better way of handling that situation?

Posted by timo05 on 18-Mar-2020 13:36

Thanks Irfan!

This could be useful config for many. We've been struggling with the SSO for a while. Could you send the config files and some related files we could use for testing SSO plus error handling in our own environment?

Posted by Irfan on 18-Mar-2020 15:12

Tim,

We will make sure to add some debugging tips for HTTP SSO in our documentation. In the meantime, if you have any specific use-case please let us know. We would like to make sure we understand the use-cases you are running into.

This thread is closed