Bug description
Below I have used http://am.localtest.me:8080/openam for illustration but replace this with your local deployment of AM as required.
When posting to `http://am.localtest.me:8080/openam/json/users?_action=validateGoto`, AM is unable to determine whether the redirect URL is relative to the request URL so it rejects any URL that is not in the allowlist already.
How to reproduce the issue
- Login to AM and get the value of your iPlanetDirectoryPro cookie.
- Send the following cURL command to AM:
curl --request POST \ --url 'http://am.localtest.me:8080/openam/json/users?_action=validateGoto' \ --header 'accept-api-version: protocol=2.1,resource=3.0' \ --header 'content-type: application/json' \ --cookie 'amlbcookie=01; iPlanetDirectoryPro=<your-cookie>' \ --data '{"goto":"http://am.localtest.me:8080/openam/ui-admin/#configure/authentication"}'
Expected behaviour
HTTP 200 { "successURL": "/ui-admin/#configure/authentication" }
Current behaviour
HTTP 200 { "successURL": "/openam/console" }
Work around
Create a Validation Service instance and add your AM domain to the Valid goto URL Resources list
Code analysis
org.forgerock.openam.core.rest.IdentityResourceV2
Promise<ActionResponse, ResourceException> validateGoto(final Context context, final ActionRequest request) { final JsonValue jVal = request.getContent(); JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1)); try { SSOTokenManager mgr = SSOTokenManager.getInstance(); SSOToken ssoToken = mgr.createSSOToken(getCookieFromServerContext(context)); String gotoURL = urlValidator.getRedirectUrl(ssoToken.getProperty(ISAuthConstants.ORGANIZATION), urlValidator.getValueFromJson(jVal, RedirectUrlValidator.GOTO), ssoToken.getProperty("successURL"), null);
The last value passed to getRedirectUrl is the request so that this can be used to compare the goto URL to check if it is relative. In this case a null is passed because we don't at this point have access to the request.