Attribute release consent failing (sometimes)
Manuel Haim
haim at hrz.uni-marburg.de
Wed Oct 11 10:43:33 EDT 2017
Hi Tom,
On 11-Oct-2017 15:27 Tom Zeller wrote:
>> 6) Not all failing attribute release consent attempts seem to raise a
>> DEBUG message of net.shibboleth.idp.consent.flow.impl.ExtractConsent
>> within the log files. There appear some new entries in the
>> storagerecords table for context intercept/attribute-release with values
>> containing "appr":false which I cannot find a corresponding DEBUG
>> message for.
>
> I find it curious that "false" approval is being stored without any logging.
>
I am sorry - I only grepped for "isApproved=false". It turns out that in
the other cases there is also DEBUG output available, reading like this:
DEBUG [net.shibboleth.idp.consent.flow.impl.ExtractConsent:75] - Profile
Action ExtractConsent: No consent choices available from user input
>> 7) For the failing attempts which were DEBUG-logged within the
>> Shibboleth logs, I took a look at the User Agent in my loadbalancer's
>> log. There I can see failing logins coming only from these specific
>> browser versions (32 failures from 21-Sep-2017 thru 10-Oct-2017):
>> Safari 10.0
>> Safari 10.0.1
>> Chrome 53.0.2785.143
>> Chrome 54.0.2840.71
>> Firefox 49.0
>
> Given the diversity of browsers, I'm less inclined to blame them.
>
These browser versions were all released at about the same time
(31-Aug-2016 thru 24-Oct-2016), so maybe they share the same bugs?!
Older or newer versions seem not affected.
>> Maybe I should just give up and disable the attribute release consent
>> interceptor for this single service provider.
>
> Before giving up, we could modify the ExtractConsent action to not
> store a "false" approval if per-attribute consent is disabled. I think
> that would workaround browser issues. I can work through that and
> report back. If "false" approval is still being stored even after
> modifying ExtractConsent, then it seems the bug is elsewhere.
>
> I suggest you create an issue in JIRA.
>
Thanks, I just created an issue:
https://issues.shibboleth.net/jira/browse/IDP-1228
Kind regards,
Manuel
More information about the users
mailing list