Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12288

Oauth2 rfc6749 - client has more than one redirection URI and the redirect_uri parameter is not set, do not inform the resource owner of an invalid_request error

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.5.2
    • Fix Version/s: None
    • Component/s: oauth2
    • Labels:
    • Environment:
      CentOS7
      Java 1.8.0_131
      Apache Tomcat Version 8.5.15

      Description

      Bug description

      User should see invalid_request error when client have two redirect urls configured and user sends request with no redirect. There is error when http parameter is empty, but no error when http parameter is not there.

      I have verified that error is not in 13.5.2-M11 and it is in 13.5.2-RC1 and there are 7 commits between which could cause this.

      Also test failure with screenshot can be seen at https://ci.forgerock.org/job/OpenAM-13.x/job/OpenAM-13.x-Functional-Tests-Stable/1404/Temper_Report/class-com.forgerock.openam.functionaltest.oauth2.rfc6749.AuthorizationEndpoint.html#91c0dd7c573f493175362ef926e94c1df7ede63d725312b22b3d5345564d8157

      How to reproduce the issue

      1. Top-level realm -> Configure OAuth Provider -> Configure OpenID Connect -> Create
      2. Top-level realm -> Agents -> OAuth 2.0/OpenID Connect Client -> New (enter name and password)
      3. Configure your new client to have two Redirection URIs and scopes openid profile
      4. Try OpenAM as an OpenID Connect provider using the Basic Client Profile for example using openid
      5. Catch request using network traffic analyzer in Firefox and copy it as curl command (context menu of that request)
      6. paste curl request to terminal, remove redirect_uri parameter and send request
      Expected behaviour
      $ curl 'http://amqa-clone74.test.forgerock.com:8080/openam/oauth2/authorize?response_type=code&client_id=myClientID&realm=%2F&scope=openid%20profile&state=af0ifjsldkj' -H 'Host: amqa-clone74.test.forgerock.com:8080' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: cs,sk;q=0.8,en-US;q=0.5,en;q=0.3' --compressed -H 'Referer: http://amqa-clone74.test.forgerock.com:8080/openid/basic.html' -H 'Cookie: JSESSIONID=A0B3ACB2C7763C80ED6374F02DF60D3C; _ga=GA1.2.667400259.1507719512; _mkto_trk=id:366-PUR-475&token:_mch-forgerock.com-1508401700023-94233; ei_client_id=5a32806416963d0016f3b376; trwv.uid=forgerockorg-1508401699865-a93595f0%3A8; amlbcookie=01; iPlanetDirectoryProStaff=AQIC5wM2LY4SfcyDRwT-by9EgqpyPQf_eZonfuT8czqybh8.*AAJTSQACMDIAAlNLABIzNzI0NjMzMzM3NDM4MTA3MDIAAlMxAAIwMQ..*; i18next=cs; amlbcookie=01; _gid=GA1.2.104144581.1515146612; iPlanetDirectoryPro=AQIC5wM2LY4SfcxvWjN0_2hBJYd7SWUi14hMkdYa0Zq2Y48.*AAJTSQACMDEAAlNLABQtODMxMDY0NzM3MTg1NDg2NDk2MQACUzEAAA..*' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1'<!DOCTYPE html>
      <!--
        ~ DO NOT REMOVE COPYRIGHT NOTICES OR THIS HEADER.
        ~
        ~ Copyright 2012-2015 ForgeRock AS.
        ~
        ~ The contents of this file are subject to the terms
        ~ of the Common Development and Distribution License
        ~ (the License). You may not use this file except in
        ~ compliance with the License.
        ~
        ~ You can obtain a copy of the License at
        ~ http://forgerock.org/license/CDDLv1.0.html
        ~ See the License for the specific language governing
        ~ permission and limitations under the License.
        ~
        ~ When distributing Covered Code, include this CDDL
        ~ Header Notice in each file and include the License file
        ~ at http://forgerock.org/license/CDDLv1.0.html
        ~ If applicable, add the following below the CDDL Header,
        ~ with the fields enclosed by brackets [] replaced by
        ~ your own identifying information:
        ~ "Portions Copyrighted [year] [name of copyright owner]"
        ~
        ~ Portions Copyrighted 2014 Nomura Research Institute, Ltd
        -->
      <html lang="en">
      <head>
          <meta charset="utf-8">
          <meta http-equiv="X-UA-Compatible" content="IE=edge">
          <meta name="viewport" content="width=device-width, initial-scale=1">
          <meta name="description" content="OAuth2 Error">
          <title>OAuth2 Error Page</title>
      </head>
      
      <body style="display:none">
          <div id="wrapper">Loading...</div>
          <footer id="footer" class="footer"></footer>
          <script type="text/javascript">
                          pageData = {
                      realm : "/",
                      baseUrl: "http://amqa-clone74.test.forgerock.com:8080/openam/XUI",
                      error: {
                          description: "Missing parameter: redirect_uri",
                          message: "invalid_request"
                      }
                  }
          </script>
          <script data-main="http://amqa-clone74.test.forgerock.com:8080/openam/XUI/main-authorize" src="http://amqa-clone74.test.forgerock.com:8080/openam/XUI/libs/requirejs-2.1.14-min.js"></script>
      </body>
      </html>
      
      
      Current behaviour
      $ curl 'http://amqa-clone70.test.forgerock.com:8080/openam/oauth2/authorize?response_type=code&client_id=myClientID&realm=%2F&scope=openid%20profile&state=af0ifjsldkj' -H 'Host: amqa-clone70.test.forgerock.com:8080' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: cs,sk;q=0.8,en-US;q=0.5,en;q=0.3' --compressed -H 'Referer: http://amqa-clone70.test.forgerock.com:8080/openid/basic.html' -H 'Cookie: JSESSIONID=6656ECD47C68C50FFE93011B08637EBB; _ga=GA1.2.667400259.1507719512; _mkto_trk=id:366-PUR-475&token:_mch-forgerock.com-1508401700023-94233; ei_client_id=5a32806416963d0016f3b376; trwv.uid=forgerockorg-1508401699865-a93595f0%3A8; amlbcookie=01; iPlanetDirectoryProStaff=AQIC5wM2LY4SfcyDRwT-by9EgqpyPQf_eZonfuT8czqybh8.*AAJTSQACMDIAAlNLABIzNzI0NjMzMzM3NDM4MTA3MDIAAlMxAAIwMQ..*; i18next=cs; amlbcookie=01; _gid=GA1.2.104144581.1515146612; iPlanetDirectoryPro=AQIC5wM2LY4SfcxmhboyXvTy2FX7KdmLzbftSP2Q9s9-74s.*AAJTSQACMDEAAlNLABMyMDEzMzU1NTcwOTk4MTk0Mjg0AAJTMQAA*' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1'
      <!DOCTYPE html>
      <!--
        ~ DO NOT REMOVE COPYRIGHT NOTICES OR THIS HEADER.
        ~
        ~ Copyright 2012-2017 ForgeRock AS.
        ~
        ~ The contents of this file are subject to the terms
        ~ of the Common Development and Distribution License
        ~ (the License). You may not use this file except in
        ~ compliance with the License.
        ~
        ~ You can obtain a copy of the License at
        ~ http://forgerock.org/license/CDDLv1.0.html
        ~ See the License for the specific language governing
        ~ permission and limitations under the License.
        ~
        ~ When distributing Covered Code, include this CDDL
        ~ Header Notice in each file and include the License file
        ~ at http://forgerock.org/license/CDDLv1.0.html
        ~ If applicable, add the following below the CDDL Header,
        ~ with the fields enclosed by brackets [] replaced by
        ~ your own identifying information:
        ~ "Portions Copyrighted [year] [name of copyright owner]"
        ~
        ~ Portions Copyrighted 2014 Nomura Research Institute, Ltd
        -->
      <html lang="en">
          <head>
              <meta charset="utf-8">
              <meta http-equiv="X-UA-Compatible" content="IE=edge">
              <meta name="viewport" content="width=device-width, initial-scale=1">
              <meta name="description" content="OAuth2 Authorization">
              <title>OAuth2 Authorization Server</title>
          </head>
      
          <body style="display:none">
              <div id="wrapper">Loading...</div>
              <footer id="footer" class="footer"></footer>
              <script type="text/javascript">
                  pageData = {
                      realm: "/",
                      
                      serverLang: "cs",
                      baseUrl : "http://amqa-clone70.test.forgerock.com:8080/openam/XUI",
                      oauth2Data: {
                          
                          scope: "openid profile",
                          state: "af0ifjsldkj",
                          
                          
                          csrf: "AQIC5wM2LY4SfcxmhboyXvTy2FX7KdmLzbftSP2Q9s9-74s.*AAJTSQACMDEAAlNLABMyMDEzMzU1NTcwOTk4MTk0Mjg0AAJTMQAA*",
                          displayDescription: "",
                          responseType: "code",
                          clientId: "myClientID",
                          formTarget: "/openam/oauth2/authorize?response_type=code&client_id=myClientID&realm=%2F&scope=openid%20profile&state=af0ifjsldkj",
                          displayName: "myClientID",
                          userName: "amAdmin",
                          
                          
                          displayScopes: [ { "name": "Your personal information", "values": { "Given name": "amAdmin", "Family name": "amAdmin", "Full name": "amAdmin" } } ],
                          displayClaims: [  ]
                      }
                  };
              </script>
              <script data-main="http://amqa-clone70.test.forgerock.com:8080/openam/XUI/main-authorize" src="http://amqa-clone70.test.forgerock.com:8080/openam/XUI/libs/requirejs-2.1.14-min.js"></script>
          </body>
      </html>
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                lubomir.mlich Ľubomír Mlích
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: