Token based authentication causing account lockout

[gaurav1264]

Hi Greg,

We use Crowd plugin in Teamcity for user authentication managed in Crowd. With password based authentication everything works as expected, but when we use token to access protected resource, it works fine but also causes account lock issue.

The scenario:
In bash script, we POST data onto VCS root as in below TC URL. URL is configured with token based authentication.
https://USERNAME:[email protected]/httpAuth/app/rest/vcs-root-instances/commitHookNotification?locator=vcsRoot:(id:oat_webhook_test)

When we call script in cenrtain interval for more than 3-5 times, account gets locked even though curl response is successful.

Looks like token based authentication is happening locally in Teamcity, but also delegates call to crowd for further authentication with USERNAME and TOKEN. I suspect, token is treated as password in Crowd thus account gets locked because token is not correct password

I feel that token based authentication should happen only in Teamcity, and do not involve Crowd in case authentication is token based. What do you say?

Regards,
Gaurav

[greggigon]

Hi Gaurav
I think you are exactly right.
What would even better if you have a PR that would help to fix this issue. Can you supply one?
@gaurav1264