Hi,
I have an OpenAM instance (13.5) - commonidp.xxx.intra:8080/oam I have configured a social authentication implementation in a realm (/common) using OpenID Connect. The OpenAM instance acts as a relying party for a remote 3th party IDP. The authorisation code flow is used. This all works as expected. Now, we have a new external application that wants to perform federated authentication against the commonidp.xxx.intra using OpenID Connect. It will also use the authorisation code flow. So the application will be relying party against the OpenAM instance. Now - if we go to the app, we get redirected to the OpenAM instance (commonidp.xxx.intra). Now, on the login page, we choose to authenticate against the remote 3th party IDP. (so a second OpenID Connect flow is started) We authenticate at the 3th party IDP and we get redirected to the OpenAM instance (commonidp.xxx.intra). At this point we loose part of the redirect uri's and we get the error "invalid_request Missing parameter, 'client_id'" at redirect to http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id I've setup a test environment with a second OpenAM (rp.xxx.intra:9080/oamrp) instance acting as the relying party application. I've listed the key url's/redirects below. Is this a known issue ? Looks like a bug (but didn't find any in bugster) ? RP http://rp.xxx.intra:9080/oamrp/XUI/ http://rp.xxx.intra:9080/oamrp/json/authenticate?service=oamSocialAuthenticationService&authIndexType=service&authIndexValue=oamSocialAuthenticationService COMMONIDP http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw http://commonidp.xxx.intra:8080/oam/UI/Login?realm=/common&goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid%20profile&redirect_uri=http%3A%2F%2Frp.xxx.intra%3A9080%2Foamrp%2Foauth2c%2FOAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw http://commonidp.xxx.intra:8080/oam/json/authenticate?realm=/common&goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw http://commonidp.xxx.intra:8080/oam/XUI/?realm=/common http://commonidp.xxx.intra:8080/oam/json/authenticate?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common 3TH PARTY IDP https://3thpary.be/authorize?client_id=abc&scope=openid&redirect_uri=http://commonidp.xxx.intra:8080/oam/oauth2c/OAuthProxy.jsp&response_type=code&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g&ui_locales=en COMMONIDP http://commonidp.xxx.intra:8080/oam/oauth2c/OAuthProxy.jsp?code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g http://commonidp.xxx.intra:8080/oam?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g http://commonidp.xxx.intra:8080/oam/?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g http://commonidp.xxx.intra:8080/oam/UI/Login?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g http://commonidp.xxx.intra:8080/oam/json/authenticate?realm=/common&goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id kind regards Kurt _______________________________________________ Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/ OpenAM mailing list [hidden email] https://lists.forgerock.org/mailman/listinfo/openam |
Free forum by Nabble | Edit this page |