Solutions

Account lockout fails when an authentication chain contains a custom module in AM/OpenAM (All versions)

Last updated Sep 14, 2020

The purpose of this article is to provide assistance if user accounts are not locked in accordance with the account lockout settings in AM/OpenAM when you have an authentication chain that contains one or more custom modules.

Symptoms

User account is not locked after a repeated number of failed login attempts.

The following message is shown when the user subsequently attempts to log in with invalid credentials.

{ "code": 401, "reason": "Unauthorized", "message": "Authentication Failed" }

Expected messages

When account lockout is working in an authentication chain, you would expect to see the following message after x number of failed logins:

{ "code": 401, "reason": "Unauthorized", "message": "Authentication Failed Warning: You will be locked out after 1 more failure(s)." }

And then the following message after another attempt:

{ "code": 401, "reason": "Unauthorized", "message": "Your account has been locked." }

Recent Changes

Added a custom authentication module to the chain.

Causes

The account lockout functionality works based on invalid password exceptions rather than invalid login exceptions. This means all login modules must throw an InvalidPasswordException instead of an AuthLoginException to trigger account lockout.

Solution

This issue can be resolved by updating your custom authentication modules to throw an InvalidPasswordException. For example, by changing:

throw new AuthLoginException(<parameters>);

To:

throw new InvalidPasswordException(<parameters>);

Related Training

N/A

Related Issue Tracker IDs

OPENAM-14192 (Addition needed for sample custom auth code to mention account lockout)

OPENAM-6362 (HOTP and OATH auth-modules do not set 'failureUserID' when throwing InvalidPasswordException, this breaks OpenAM account lockout)