Authentication failure
When a client does not present a valid SSO token with a request, Java Agent redirects the client to login. If the client then fails to authenticate, by default, the agent takes the following steps:
-
Redirects the request to the URL defined by Authentication Fail URL.
-
If that property is not set, redirects the request to the URL defined by Goto URL.
-
If neither property is set, returns an HTTP 400.
To limit the amount of information available to malicious users, by default, the agent returns an HTTP 400 for all authentication failures, regardless of the reason.
If, for example the agent returns an "unknown user" message, malicious users can use that information to try with different usernames until the error message changes to, for example, "wrong password".
The following table summarizes possible reasons for the agent to return an HTTP 400:
| Reason code | Meaning |
|---|---|
|
The agent cannot find the authentication tracking cookie, defined in Pre-Authentication Cookie Name. This error can happen if the user successfully authenticates, but clicks the back button of the browser to return to the previous page. |
|
The agent found the authentication tracking cookie, but it cannot find the unique identifier of the authentication request inside the cookie. This error can happen if the user successfully authenticates, but clicks the back button of the browser to return to the previous page. |
|
The audience in the JWT does not correspond to the audience in the cookie entry. This error can happen if all agents working in a cluster do not have the same Agent Profile Name. |
|
The agent cannot find the session ID token. |
|
The agent found the session ID token, but it is past its expiry date. |
|
The agent found the session ID token, the expiry time is correct, but AM returns that the ID token is invalid. |
|
The agent found the session ID token, but cannot parse it. |
|
The agent found the session ID token, but threw an exception while parsing it. Alternatively, the agent cannot connect to AM to validate the ID token, maybe due to a network outage. |
Manage notifications for authentication failure
An HTTP 400 message is not always helpful for debugging the agent flow or when another web application depends on the error message. To change the way the agent responds to authentication failure, configure the following properties:
-
Authentication Fail URL, to redirect the uses to a specific URL or URI. Use this property to control the message the agent displays to the client.
-
Authentication Fail Reason Parameter Name, to send the reason for authentication failure in a named query parameter.
-
Authentication Fail Reason Parameter Value Map, to map the reason for authentication failure. Use this property to hide the reason for authentication failure from malicious users, or to map it to something that is meaningful inside your organization.
Limit the number of failed login attempts
| This feature is deprecated. For more information, refer to the Deprecated section of the Release Notes. |
To mitigate the risk of brute force attacks, limit the number of failed login attempts that are allowed during a browser session. After this number, the agent blocks requests from the user.
Configure Login Attempt Limit (deprecated), to specify a non-zero value. For example, if the limit is three, then the agent blocks the fourth and subsequent login requests.