I have a Java application using Spring Boot and leveraging the Stormpath idSite functionality. When I use my app to connect to Stormpath via idSite locally, the authentication mechanisms work fine; I can log in and get an Account object. This works in my IDE as well as standalone (running java -jar).
When I deploy my application (Uber-jar, embedded tomcat) and run it, the authentication appears to operate (logout redirects to idSite, un/pw works). However, when I return from the login, the com.stormpath.sdk.account.Account object is never returned, though an Application object is.
I wrote a quick routine to validate what is returned in the HttpServletRequest via:
Enumeration<String> e = request.getAttributeNames();
while (e.hasMoreElements()) {
attr += e.nextElement() + "<BR />";
}
and see that the Accounts object is not present after login, unless I am on my dev machine.
What would be a good avenue for investigation after this point?
It sounds like you may be running into this issue because your deployment environment is NOT SSL protected.
Stormpath allows http connections ONLY for localhost - to be able to test.
Once you application is in any sort of deployment environment, all connections must be https.
If it's not https, then Stormpath will NOT set the account cookie, as you are seeing.
For testing purposes, you can use a self-signed cert, but you would not want to have this in a production environment.
Note: Once you do SSL enable your deployment environment, you will need to update your authorized redirect URLs in your ID Site setup to reflect this.
Hope this helps!
Full disclosure: I work for Stormpath