Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-2113

CDSSO PDP redirect fails when in front of CDN that adds X-Forwarded-Proto

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 4.2.0.0, 4.1.0-34, 4.1.0-40
    • 4.2.1.0
    • Web Agents
    • This affected the recent patches and also 4.2.0.0 and also varnish related ones that may exists in 5.5.x too. This instance on Apache 2.4 Linux

      Description

      Bug description

      When X-Forwarded-Proto contains multiple comma values, and if CDSSO is used and override URL/Port/Host is used the CDSSO flow breaks with

      HTTP Status 404 - /openam/http,%20://test.internal.forgerock.net:6800/headers/dumpheaders.pl
      type Status report
      message /openam/http,%20://test.internal.forgerock.net:6800/headers/dumpheaders.pl
      description The requested resource is not available.
      Apache Tomcat/8.0.44
      

      with the debug logs showing

      2018-10-20 15:17:43.354 +0800   DEBUG [0x7f3a4bfff700:25072][source/process.c:17
      67] do_cookie_set_generic(): X-AMAGENT-TX=AIXqbtWLA2HiS8oiITwTTwgKQ09s1qaJuDJTkV
      6fmasyVdKfwAekVf+UkG11rxZ8WJXOX7ISkrjuJcFZhBKEU2xz/N7kqYHXjBZ3+8VoZpLvWvH71NgKAJ
      NN42sRXovr67NEF8cxqjZnYiHug0WJx5tw1FNPnMWBs37SkoBzDL85GsOLlMzSgECusFRdz1tx2VyHau
      EsWz5pVDeg2GCGdQ==;Max-Age=30;Expires=Thu, 20-Oct-2018 07:18:13 GMT;Path=/
      2018-10-20 15:17:43.354 +0800   DEBUG [0x7f3a4bfff700:25072][source/post_data_handler.c:548] create_cdsso_or_pdp_redirect_url(): (cdsso get mode) redirecting to: http://test.internal.forgerock.com:8080/openam/cdcservlet?RequestID=324F5DAB12866066F18479986FBC8AD3B3AF6E2E372370BC100F611ABD94BBDD&MajorVersion=1&MinorVersion=0&ProviderID=http%3A%2F%test.internal.forgerock.net%3A6800%2Famagent&IssueInstant=2018-10-20T07%3A17%3A43Z&goto=http%2C%20%3A%2F%test.internal.forgerock.net%3A6800%2Fheaders%2Fdumpheaders.pl%3Fampostpreserve%3D35ffeca5-a167-8c46-8ff9-7ecca4344f66
      

      Caused by

      How to reproduce the issue

      1. AM installed
      2. WPA4.2.0.0 (web on another domain) with CDSSO enabled
      3. Enabled the Advanced Override URL/Host/Port set
      4. Test that this works first
      5. Now may sure that every web request that hit add "X-Forwarded-Proto". If apache you can inject this value just for hacking related. ("RequestHeader set X-Forwarded-Proto "http, http")
      6. Observed the error
      Expected behaviour
      Even when override URL the X-Forwarded-* should not cause issue.
      
      Current behaviour
      X-Forwarded-Proto cause issue when override url enabled
      

      Work around

      Remove the X-Forwarded-Proto header or drop this when terminating to WPA.

      Code analysis

      Causes by 4.1.34 -> 4.1.0-40 and also in 4.2.0.0
      May also affect varnish related ones (that is in 5.x.x)

        Attachments

          Issue Links

            Activity

              People

              mareks Mareks Malnacs
              chee-weng.chea C-Weng C
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: