Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JIT Provisioning: Password Policy Violation Allows Authentication to Proceed Without Re-prompting for Valid Password #21110

Open
Pratheesha97 opened this issue Sep 13, 2024 · 0 comments
Open

JIT Provisioning: Password Policy Violation Allows Authentication to Proceed Without Re-prompting for Valid Password #21110

Pratheesha97 opened this issue Sep 13, 2024 · 0 comments

Comments

@Pratheesha97
Copy link

Describe the issue:
When the "Prompt for password and consent" option is enabled during the JIT provisioning flow, if the user enters a password that does not comply with the defined password policy in the Identity Server, the JIT provisioning fails due to the invalid password. Despite this, the Identity Server continues the flow and authenticates the user without prompting the user to re-enter a valid password.

The following stack trace can be observed in the logs:

[2024-09-13 18:41:47,432] [060a335d-8f1d-456d-bf43-5bbc3a3012b0] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler} - User provisioning failed! org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException: Error while provisioning user : Alex
    at org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.DefaultProvisioningHandler.handle(DefaultProvisioningHandler.java:184)

.............

Caused by: org.wso2.carbon.identity.mgt.policy.PolicyViolationException: 'Password pattern policy violated. Password should contain a digit[0-9], a lower case letter[a-z], an upper case letter[A-Z], one of !@#$%&* characters'
    at org.wso2.carbon.identity.mgt.policy.PolicyRegistry.enforcePasswordPolicies(PolicyRegistry.java:39)
    at org.wso2.carbon.identity.password.policy.handler.PasswordPolicyValidationHandler.handleEvent(PasswordPolicyValidationHandler.java:166)
    ... 80 more

The DefaultStepBasedSequenceHandler does not propagate this error and simply logs it [1].

[1] - https://github.com/wso2/carbon-identity-framework/blob/527dba704487431b95c34461656cdb7496a0f0cc/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/handler/sequence/impl/DefaultStepBasedSequenceHandler.java#L628

How to reproduce:

  1. Setup JIT provisioning with " Prompt for password and consent"
  2. Enable password pattern through the resident IDP and define a policy, or use the default.
  3. Enter a simple password that does not adhere to the configured regex when provisioning the user in JIT mode.
  4. Click Register.

Expected behavior:
If the user-entered password does not meet the policy requirements, the system should prompt the user to re-enter a valid password without continuing the authentication.

Environment information:

  • Product Version: IS 5.10.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Pratheesha97