Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11935

redirect_uri should be required in the OAuth2 authorization request


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.0.0, 13.5.1, 14.1.1
    • Fix Version/s: 13.5.3, 6.5.0, 6.0.1, 5.5.2
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47, AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51, AM Sustaining Sprint 52, AM Sustaining Sprint 53, AM Sustaining Sprint 54, AM Sustaining Sprint 55
    • Story Points:
    • Needs backport:
    • Support Ticket IDs:
    • Needs QA verification:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description


      Bug description

      If an OAuth2 agent has less than or more than one redirect_uri configured, OpenAM server will return "invalid_request Missing parameter: redirect_uri" when accessing the /authorize endpoint without specifying a redirect_uri parameter in the request.

      If an OAuth2 agent has one redirect_uri configured, the authorization server will return an authorization code upon successful authentication but if the client attempts to use this authorization code to get an access token, without specifying a redirect_uri parameter in the request, OpenAM returns "invalid_request Missing parameter: redirect_uri".

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Configure OAuth2 Provider via Common Tasks
      2. Create OAuth2 agent
      3. Set up 0/1/2 redirect_uri on the agent profile
      4. Send request to /authorize endpoint without specifying redirect_uri (if less or more than one, it will error here)
      5. If no error returned at the last step, send request to /access_token using the authorization code returned in the previous step and the error will return here.
      Expected behaviour
      OpenAM seems to be expecting a redirect_uri to be specified in the request so it should return an error in the /authorize response if the redirect_uri parameter is not set in the request.
      Current behaviour
      "Missing parameter" error returns at different stages of the process, it is inconsistent.

      Work around


      Code analysis





            • Assignee:
              lawrence.yarham Lawrence Yarham
              aaron.haskins Aaron Haskins
            • Votes:
              0 Vote for this issue
              6 Start watching this issue


              • Created: