Attribute release consent failing (sometimes)

Manuel Haim haim at
Wed Oct 11 10:43:33 EDT 2017

Hi Tom,

On 11-Oct-2017 15:27 Tom Zeller wrote:
>> 6) Not all failing attribute release consent attempts seem to raise a
>> DEBUG message of net.shibboleth.idp.consent.flow.impl.ExtractConsent
>> within the log files. There appear some new entries in the
>> storagerecords table for context intercept/attribute-release with values
>> containing "appr":false which I cannot find a corresponding DEBUG
>> message for.
> I find it curious that "false" approval is being stored without any logging.

I am sorry - I only grepped for "isApproved=false". It turns out that in
the other cases there is also DEBUG output available, reading like this:

DEBUG [net.shibboleth.idp.consent.flow.impl.ExtractConsent:75] - Profile
Action ExtractConsent: No consent choices available from user input

>> 7) For the failing attempts which were DEBUG-logged within the
>> Shibboleth logs, I took a look at the User Agent in my loadbalancer's
>> log. There I can see failing logins coming only from these specific
>> browser versions (32 failures from 21-Sep-2017 thru 10-Oct-2017):
>> Safari 10.0
>> Safari 10.0.1
>> Chrome 53.0.2785.143
>> Chrome 54.0.2840.71
>> Firefox 49.0
> Given the diversity of browsers, I'm less inclined to blame them.

These browser versions were all released at about the same time
(31-Aug-2016 thru 24-Oct-2016), so maybe they share the same bugs?!
Older or newer versions seem not affected.

>> Maybe I should just give up and disable the attribute release consent
>> interceptor for this single service provider.
> Before giving up, we could modify the ExtractConsent action to not
> store a "false" approval if per-attribute consent is disabled. I think
> that would workaround browser issues. I can work through that and
> report back. If "false" approval is still being stored even after
> modifying ExtractConsent, then it seems the bug is elsewhere.
> I suggest you create an issue in JIRA.

Thanks, I just created an issue:

Kind regards,

More information about the users mailing list