Re: OpenAM Digest, Vol 74, Issue 10

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: OpenAM Digest, Vol 74, Issue 10

Kurt Van Meerbeeck
Hi

I've been further investigating this and looks like a problem with url encoding in the OAuth Auth plugin.
(openam-auth-oauth2 - org/forgerock/openam/authentication/modules/oauth2/OAuth.java)
Here, it looks like the requestedQuery url of the original relying party is not correctly url encoded,
or the url is decoded somewhere along the flow, breaking the last redirect to the original relying party.

It doesn't look like a known bug in bugster ...

cheers,
Kurt






From:        [hidden email]
To:        [hidden email],
Date:        21/12/2016 21:00
Subject:        OpenAM Digest, Vol 74, Issue 10
Sent by:        [hidden email]




Send OpenAM mailing list submissions to
                [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
               
https://lists.forgerock.org/mailman/listinfo/openam
or, via email, send a message with subject or body 'help' to
                [hidden email]

You can reach the person managing the list at
                [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OpenAM digest..."


Today's Topics:

  1. losing part of redirect/goto url with double openid                 connect
     flow (Kurt Van Meerbeeck)


----------------------------------------------------------------------

Message: 1
Date: Wed, 21 Dec 2016 16:53:59 +0100
From: Kurt Van Meerbeeck <[hidden email]>
To: [hidden email]
Subject: [OpenAM] losing part of redirect/goto url with double openid
                connect flow
Message-ID:
                <[hidden email]>
Content-Type: text/plain; charset="us-ascii"

Hi,

I have an OpenAM instance (13.5) - commonidp.xxx.intra:8080/oam
I have configured a social authentication implementation in a realm
(/common)
using OpenID Connect.
The OpenAM instance acts as a relying party for a remote 3th party IDP.
The authorisation code flow is used.
This all works as expected.

Now, we have a new external application that wants to perform federated
authentication
against the commonidp.xxx.intra using OpenID Connect.
It will also use the authorisation code flow.
So the application will be relying party against the OpenAM instance.

Now - if we go to the app, we get redirected to the OpenAM instance
(commonidp.xxx.intra).
Now, on the login page, we choose to authenticate against the remote 3th
party IDP.
(so a second OpenID Connect flow is started)
We authenticate at the 3th party IDP and we get redirected to the OpenAM
instance (commonidp.xxx.intra).
At this point we loose part of the redirect uri's and we get the error
"invalid_request Missing parameter, 'client_id'"
at redirect to
http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id

I've setup a test environment with a second OpenAM
(rp.xxx.intra:9080/oamrp) instance acting as the relying party
application.
I've listed the key url's/redirects below.

Is this a known issue ? Looks like a bug (but didn't find any in bugster)
?

RP
http://rp.xxx.intra:9080/oamrp/XUI/
http://rp.xxx.intra:9080/oamrp/json/authenticate?service=oamSocialAuthenticationService&authIndexType=service&authIndexValue=oamSocialAuthenticationService

COMMONIDP
http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid
profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw
http://commonidp.xxx.intra:8080/oam/UI/Login?realm=/common&goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid%20profile&redirect_uri=http%3A%2F%2Frp.xxx.intra%3A9080%2Foamrp%2Foauth2c%2FOAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw
http://commonidp.xxx.intra:8080/oam/json/authenticate?realm=/common&goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid
profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw
http://commonidp.xxx.intra:8080/oam/XUI/?realm=/common

http://commonidp.xxx.intra:8080/oam/json/authenticate?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid
profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common

3TH PARTY IDP
https://3thpary.be/authorize?client_id=abc&scope=openid&redirect_uri=http://commonidp.xxx.intra:8080/oam/oauth2c/OAuthProxy.jsp&response_type=code&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g&ui_locales=en

COMMONIDP
http://commonidp.xxx.intra:8080/oam/oauth2c/OAuthProxy.jsp?code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g

http://commonidp.xxx.intra:8080/oam?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid
profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g
http://commonidp.xxx.intra:8080/oam/?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid
profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g

http://commonidp.xxx.intra:8080/oam/UI/Login?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid
profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g
http://commonidp.xxx.intra:8080/oam/json/authenticate?realm=/common&goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id&scope=openid
profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh

http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id


kind regards
Kurt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://lists.forgerock.org/pipermail/openam/attachments/20161221/6292d1fb/attachment-0001.html>

------------------------------

_______________________________________________
Visit the OpenAM forum at
https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


End of OpenAM Digest, Vol 74, Issue 10
**************************************


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...