Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11157

Oauth2/OIDC Authentication redirect goto value wrong when behind reverse proxy

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 14.0.0, 14.1.1
    • Fix Version/s: 13.5.2, 6.0.0, 5.5.2
    • Component/s: authentication
    • Labels:
    • Sprint:
      AM Sustaining Sprint 44
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      When AM detects that the session needs to be authenticated, the "goto" parameter in the redirect Location Response Header has the wrong value when AM is installed behind a reverse proxy (Apache 2.4). This has happened with a Oauth2/OIDC and Web Agent flow.

      AM is setting the "goto" value to the internal FQDN instead of the external FQDN.

      OAuth2/OIDC:

      https://idp.frdpcloud.com/openam/oauth2/authorize?response_type=id_token&scope=email%20openid%20profile&nonce=9418&client_id=frdpoidc&redirect_uri=https://idp.frdpcloud.com/apps/oidc/token.html
      

      Request Headers:

      GET /openam/oauth2/authorize?response_type=id_token&scope=email%20openid%20profile&nonce=9418&client_id=frdpoidc&redirect_uri=https://idp.frdpcloud.com/apps/oidc/token.html HTTP/1.1
      Host: idp.frdpcloud.com
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      Upgrade-Insecure-Requests: 1
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      Referer: https://idp.frdpcloud.com/apps/oidc/
      Accept-Encoding: gzip, deflate, sdch, br
      Accept-Language: en-US,en;q=0.8
      Cookie: i18next=en-US; amlbcookie=01
      

      Response Headers:

      HTTP/1.1 301 Moved Permanently
      Date: Thu, 11 May 2017 20:59:40 GMT
      Server: Restlet-Framework/2.3.4
      Access-Control-Max-Age: 1000
      Access-Control-Allow-Headers: X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding, X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Server
      Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
      Access-Control-Allow-Origin: https://idp.frdpcloud.com
      X-Frame-Options: SAMEORIGIN
      Cache-Control: no-store
      Accept-Ranges: bytes
      Location: https://idp.frdpcloud.com/openam/UI/Login?realm=%2F&goto=http%3A%2F%2Fdemo.idp.local%3A18080%2Fopenam%2Foauth2%2Fauthorize%3Fresponse_type%3Did_token%26scope%3Demail%2520openid%2520profile%26nonce%3D9418%26client_id%3Dfrdpoidc%26redirect_uri%3Dhttps%253A%252F%252Fidp.frdpcloud.com%252Fapps%252Foidc%252Ftoken.html
      Vary: Accept-Charset,Accept-Encoding,Accept-Language,Accept
      Pragma: no-cache
      Content-Length: 0
      Keep-Alive: timeout=5, max=95
      Connection: Keep-Alive
      

      Web Agent (Separate issue generated to cover the Web Agent flow as the issues here are distinct - OPENAM-12074)

      https://idp.frdpcloud.com/web/index.html
      

      Request Headers:

      GET /web/index.html HTTP/1.1
      Host: idp.frdpcloud.com
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      Upgrade-Insecure-Requests: 1
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      Accept-Encoding: gzip, deflate, sdch, br
      Accept-Language: en-US,en;q=0.8
      Cookie: i18next=en-US
      

      Response Headers:

      HTTP/1.1 302 Found
      Date: Mon, 15 May 2017 16:02:42 GMT
      Server: Apache/2.4.25 (Unix) OpenAM Web Agent/4.1.0
      Access-Control-Max-Age: 1000
      Access-Control-Allow-Headers: X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding, X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Server
      Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
      Access-Control-Allow-Origin: https://idp.frdpcloud.com
      Location: https://idp.frdpcloud.com/openam/UI/Login?goto=http%3A%2F%2Fdemo.idp.local%3A10080%2Fweb%2Findex.html
      Content-Type: text/html; charset=iso-8859-1
      Vary: Accept-Encoding
      Content-Encoding: gzip
      Content-Length: 241
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      

      Other aspects of AM appear to be working fine with the reverse proxy.

      Set the following:

      • Updated cookie domains to include the external FQDN
      • DNS Aliases contains the external FQDN (via updating sites / server)
      • Created a Site ... added to Server
      • Created Service: Base URL Source ... (fixed issue with .well-known payload)

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                adam.heath Adam Heath
                Reporter:
                sfehrman Scott Fehrman [X] (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                14 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: