api-layer icon indicating copy to clipboard operation
api-layer copied to clipboard

Published 20 hours ago verified publisher icon zowe

Fix response message when user revoked using x509 auth

Open taban03 opened this issue 2 years ago • 2 comments

Describe the bug When using the client cert authentication with a user that got revoked, the identity mapping response from SAF is successful, the pass ticket is successfully generated but eventually z/OSMF is not able to authenticate with the passitcket to obtain the jwt token due to 401 Unauthorized. DEBUG message from the log:

HTTP/1.1 401 Unauthorized
 <ZWEAGW1:https-jsse-nio-0.0.0.0-60254-exec-1:50726983> ZWESVUSR DEBUG (o.a.http.wire) http-outgoing-174 << "{"returnCode":8,"reasonCode":28,"message":"The user ID was revoked."}[\r][\n]"

However when calling the /login endpoint the REST response is different and misleading:

HTTP/1.1 400 Bad Request
{
    "messages": [
        {
            "messageType": "ERROR",
            "messageNumber": "ZWEAG121E",
            "messageContent": "Authorization header is missing, or the request body is missing or invalid for URL '/gateway/api/v1/auth/login'",
            "messageAction": "Provide valid authentication.",
            "messageReason": "The authorization header is missing, or the request body is missing or invalid.",
            "messageKey": "org.zowe.apiml.security.login.invalidInput"
        }
    ]
}

More clear message should be returned to the user. The message of user being revoked is visible in the logs, but it's on DEBUG level. Maybe these type of messages should be switched to INFO.

https://github.com/zowe/api-layer/wiki/Issue-management

taban03 avatar Dec 01 '23 11:12 taban03

In this case, we cannot return more information, because the original case was, that the user was actually disabled. The user was able to authenticate against Gateway (the certificate was still valid during the check with truststore), a passticket was generated, and ZSS made mapping, but z/OSMF responded 401. If we should do something different it could be helpful to investigate the state of each endpoint.

In case of failing during the generation of passticket, it makes sense to return 500, but otherwise, it should be just general 401 with a message such as a list of things to verify (if the account is not suspended, credentials are valid, etc.)

There is an issue with fixing the response code (#3007). Definitely, the response code 400 is not correct and should be replaced by 401.

pavel-jares-bcm avatar Dec 13 '23 16:12 pavel-jares-bcm

Linked to #3243

balhar-jakub avatar Dec 18 '23 12:12 balhar-jakub