Account lockout fails when an authentication chain contains a custom module in AM/OpenAM (All versions)
The purpose of this article is to provide assistance if user accounts are not locked in accordance with the account lockout settings in AM/OpenAM when you have an authentication chain that contains one or more custom modules.
Symptoms
User account is not locked after a repeated number of failed login attempts.
The following message is shown when the user subsequently attempts to log in with invalid credentials.
{ "code": 401, "reason": "Unauthorized", "message": "Authentication Failed" }
Expected messages
When account lockout is working in an authentication chain, you would expect to see the following message after x number of failed logins:
{ "code": 401, "reason": "Unauthorized", "message": "Authentication Failed Warning: You will be locked out after 1 more failure(s)." }
And then the following message after another attempt:
{ "code": 401, "reason": "Unauthorized", "message": "Your account has been locked." }
Recent Changes
Added a custom authentication module to the chain.
Causes
The account lockout functionality works based on invalid password exceptions rather than invalid login exceptions. This means all login modules must throw an InvalidPasswordException instead of an AuthLoginException to trigger account lockout.
Solution
This issue can be resolved by updating your custom authentication modules to throw an InvalidPasswordException. For example, by changing:
throw new AuthLoginException(<parameters>);
To:
throw new InvalidPasswordException(<parameters>);
See Also
How do I enable account lockout in AM/OpenAM (All versions)?
How do I unlock a user's account using the REST API in AM/OpenAM (All versions)?
Authentication and Single Sign-On Guide › The Sample Authentication Logic
Authentication and Single Sign-On Guide › Implementing Account Lockout
Related Training
N/A
Related Issue Tracker IDs
OPENAM-14192 (Addition needed for sample custom auth code to mention account lockout)