Authentication Fails

[Snizi]

I'm encountering a strange issue when using the authentication steps with the AF plan in ZAP. ZAP successfully authenticates—I can see in the browser that pops up that it follows the steps correctly. Since this is a Keycloak application with TOTP, and each element is on a different page, I’ve ensured that I'm using the correct session management mechanism. However, after ZAP authenticates and receives the request containing the JSON with the token, it reports that authentication has failed and restarts the process.

Error msg: 
Caused by: org.openqa.selenium.NoSuchElementException: Unable to locate element: //*[@id="username"]
For documentation on this error, please visit: https://www.selenium.dev/documentation/webdriver/troubleshooting/errors#no-such-element-exception
Build info: version: '4.29.0', revision: '5fc1ec94cb'
System info: os.name: 'Linux', os.arch: 'amd64', os.version: '6.11.2-amd64', java.version: '23.0.1'
Driver info: org.openqa.selenium.firefox.FirefoxDriver
Command: [c04085ee-b410-4fbd-bb10-268503172447, findElement {value=//*[@id="username"], using=xpath}]
Capabilities {acceptInsecureCerts: true, browserName: firefox, browserVersion: 128.5.0, moz:accessibilityChecks: false, moz:buildID: 20241118130310, moz:debuggerAddress: 127.0.0.1:20209, moz:geckodriverVersion: 0.36.0, moz:headless: true, moz:platformVersion: 6.11.2-amd64, moz:processID: 96041, moz:profile: /tmp/rust_mozprofilerHzGpU, moz:shutdownTimeout: 60000, moz:webdriverClick: true, moz:windowless: false, pageLoadStrategy: normal, platformName: linux, proxy: Proxy(), setWindowRect: true, strictFileInteractability: false, timeouts: {implicit: 0, pageLoad: 300000, script: 30000}, unhandledPromptBehavior: dismiss and notify, userAgent: Mozilla/5.0 (X11; Linux x86..., webSocketUrl: ws://127.0.0.1:20209/sessio...}

env:
  contexts:
  - authentication:
      method: browser
      parameters:
        browserId: firefox-headless
        loginPageUrl: ${LOGIN_URL}
        loginPageWait: 5000
        steps:
        - description: user
          type: USERNAME
          xpath: "//*[@id=\"username\"]"
          timeout: 30000
        - description: signin
          type: CLICK
          xpath: "//*[@id=\"kc-login\"]"
          timeout: 30000
        - description: password
          type: PASSWORD
          xpath: "//*[@id=\"password\"]"
          timeout: 30000
        - description: click
          type: CLICK
          xpath: "//*[@id=\"kc-login\"]"
          timeout: 30000
        - description: topt
          type: TOTP_FIELD
          xpath: "//*[@id=\"otp\"]"
          timeout: 30000
        - description: signin2
          type: CLICK
          xpath: "//*[@id=\"kc-login\"]"
          timeout: 30000

But as I mentioned, the browser finds the elements, fill them, correctly authenticate to the application but still raises this error

[Snizi]

Coming here to give you more information. After a lot of trying, I think I discovered the issue. Although I was using the header-based session management with {%json:access_token%}, for some reason ZAP does not identify this response as part of the authentication (OIDC), even if the context was set up correctly. I also tried to use a session management script, but for some reason the wrapper didn't capture the right response too. What I had to do was to create an http sender script and capture the right response, set a global variable and then use the script variable option/setting in the header-based session management.

[Snizi]

Context 2: The error about missing username, happened because I was using the type: USERNAME, after switching to a CUSTOM_FIELD and indicating the right path, this went away. Not sure if it was due to some firefox issue, because I switched to Chrome after doing the change.

[Simon Bennetts]

OK, ZAP might have actually authentication successfully, but thats only part of the story.

How have you configured session handling and verification?

If one of those is incorrect then authentication will still fail.

Cheers,

Simon