HTTP 403 returned for invalid credentials #2332
Replies: 5 comments
-
|
Thanks for providing the details. |
Beta Was this translation helpful? Give feedback.
-
|
@zFernand0 I would first look at the pre-requisite zosmf setup instructions to see if the different setups that are returning different error codes is the result of not following the setup that is suggested by the docs The comment, mentioned issue above, refer to 2 different ways of handling the authentication for z/OS, where RACF is returning expected result but the ACF2 returns the 403. Would this be something to bring up with the z/OSMF team as the return code will affect all products that use the APIs? |
Beta Was this translation helpful? Give feedback.
-
|
I've sent the issue to our Kyndryl/IBM support team for investigation. I'll keep you updated when I get news from them. |
Beta Was this translation helpful? Give feedback.
-
|
Finally had a return from our support team, after a ticket was opened with IBM. Turns out it was a permissions issue in ACF2 on the unauthenticated user IZUGUEST used by z/OSMF. After setting the permissions properly, the problem was resolved. |
Beta Was this translation helpful? Give feedback.
-
|
That's great news @deltatager, thanks for letting us know |
Beta Was this translation helpful? Give feedback.
-
On our z/OS installation using ACF2, z/OSMF returns an HTTP 403 when there is an authentication error, instead of a 401. This way, the "Invalid Credentials" popup isn't shown, leading to pretty much systematic lockouts after a password change .
I opened an issue about this, #2326, in which I was told that 401 and 403 don't mean the same thing, and received no answer to my follow-up questions after it was closed.
However, 403 re being returned by our installation for invalid credentials, and it is not handled by the extension, leading to user lockouts the minute your try to use it after a password change.
I understand that semantically, the 401 and 403 don't mean the same thing, but both are being returned by different installations for the same situation.
What would be the impacts of treating both 401 and 403 as "Invalid credentials" error? For us, it would make using the extension much easier, without having to worry about account lockout .
Beta Was this translation helpful? Give feedback.
All reactions