losing part of redirect/goto url with double openid connect flow

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

losing part of redirect/goto url with double openid connect flow

Kurt Van Meerbeeck
Hi,

I have an OpenAM instance (13.5) - commonidp.xxx.intra:8080/oam
I have configured a social authentication implementation in a realm (/common)
using OpenID Connect.
The OpenAM instance acts as a relying party for a remote 3th party IDP.
The authorisation code flow is used.
This all works as expected.

Now, we have a new external application that wants to perform federated authentication
against the commonidp.xxx.intra using OpenID Connect.
It will also use the authorisation code flow.
So the application will be relying party against the OpenAM instance.

Now - if we go to the app, we get redirected to the OpenAM instance (commonidp.xxx.intra).
Now, on the login page, we choose to authenticate against the remote 3th party IDP.
(so a second OpenID Connect flow is started)
We authenticate at the 3th party IDP and we get redirected to the OpenAM instance (commonidp.xxx.intra).
At this point we loose part of the redirect uri's and we get the error
"invalid_request Missing parameter, 'client_id'"
at redirect to http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id

I've setup a test environment with a second OpenAM (rp.xxx.intra:9080/oamrp) instance acting as the relying party
application.
I've listed the key url's/redirects below.

Is this a known issue ? Looks like a bug (but didn't find any in bugster) ?

RP
http://rp.xxx.intra:9080/oamrp/XUI/
http://rp.xxx.intra:9080/oamrp/json/authenticate?service=oamSocialAuthenticationService&authIndexType=service&authIndexValue=oamSocialAuthenticationService

COMMONIDP
http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw
http://commonidp.xxx.intra:8080/oam/UI/Login?realm=/common&goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid%20profile&redirect_uri=http%3A%2F%2Frp.xxx.intra%3A9080%2Foamrp%2Foauth2c%2FOAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw
http://commonidp.xxx.intra:8080/oam/json/authenticate?realm=/common&goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw
http://commonidp.xxx.intra:8080/oam/XUI/?realm=/common

http://commonidp.xxx.intra:8080/oam/json/authenticate?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common

3TH PARTY IDP
https://3thpary.be/authorize?client_id=abc&scope=openid&redirect_uri=http://commonidp.xxx.intra:8080/oam/oauth2c/OAuthProxy.jsp&response_type=code&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g&ui_locales=en

COMMONIDP
http://commonidp.xxx.intra:8080/oam/oauth2c/OAuthProxy.jsp?code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g

http://commonidp.xxx.intra:8080/oam?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g
http://commonidp.xxx.intra:8080/oam/?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g

http://commonidp.xxx.intra:8080/oam/UI/Login?goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id=oamrp&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=tpj2ygsgg4ana08rt02geu63vw6ynuw&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g
http://commonidp.xxx.intra:8080/oam/json/authenticate?realm=/common&goto=http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id&scope=openid profile&redirect_uri=http://rp.xxx.intra:9080/oamrp/oauth2c/OAuthProxy.jsp&response_type=code&state=p7n6l6nh7cg6yro304oxp8gcp74oy0g&service=lawyercard&authIndexType=service&authIndexValue=lawyercard&realm=/common&code=o93phh

http://commonidp.xxx.intra:8080/oam/oauth2/authorize?client_id


kind regards
Kurt
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...