Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13151

OAuth2 Dynamic Registration does not accept Private-Use URI (for native apps) as redirect_uri

    Details

    • Sprint:
      AM Sustaining Sprint 51
    • Story Points:
      2
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Problem
      Dynamic client Registration cannot take private-use URI as the redirect_uri for the client registration. It can only take known URL schemes like http:// or https://.

      The following happens when a redirect_uri like "mobileauth://test" is used

      {"error_description":"One or more redirect_uri values are invalid.","error":"invalid_redirect_uri"}
      

      with the exception in OAuth2Provider as

      Caused by: org.forgerock.oauth2.restlet.OAuth2RestletException: One or more redirect_uri values are invalid.
              at org.forgerock.oauth2.restlet.DynamicClientRegistration.createClient(DynamicClientRegistration.java:93)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.restlet.resource.ServerResource.doHandle(ServerResource.java:520)
              ... 76 more
      

      Testcase

      1. Follow steps in -OPENAM-4193-
      2. See it works. New client registered
      3. Replace the redirect_uri to say "mobileauth://test/111" and see if fails with the exception

      Expected

      Private-use URI for redirect_uri works and can be registered
      

      Observed

      Private-use URI for redirect_uri works and cannot be registered and throws exception.
      

      Workaround
      Use http:// or https scheme.

      Code

      The code in OpenAMOpenIdConnectClientRegistrationService.java uses a URLValidator (with URL) this will fail for unknown scheme. It seems these classes uses OpenIDConnectURLValidator.java and hence

      OpenIDConnectURLValidator.java:
      Change to use URI(string) instead of URL(string) with appropriate extra code to handle what is in https://tools.ietf.org/html/rfc8252 Eg
      
      (for private-use URI):
         Following the requirements of [RFC3986] Section 3.2, as there is no
         naming authority for private-use URI scheme redirects, only a single
         slash ("/") appears after the scheme component.  A complete example
         of a redirect URI utilizing a private-use URI scheme:
           com.example.app:/oauth2redirect/example-provider

      Impact analysis
      Probably no impact to change URL to URI

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: