Major Bug description
Below I have used http://am.localtest.me:8080/openam for illustration but replace this with your local deployment of AM as required.
When posting to `http://am.localtest.me:8080/openam/json/users?_action=validateGoto`, AM is unable to determine whether the redirect URL is relative to the request URL so it rejects any URL that is not in the allowlist already.
How to reproduce the issue
- Login to AM and get the value of your iPlanetDirectoryPro cookie.
- Send the following cURL command to AM:
curl --request POST \ --url 'http://am.localtest.me:8080/openam/json/users?_action=validateGoto' \ --header 'accept-api-version: protocol=2.1,resource=3.0' \ --header 'content-type: application/json' \ --cookie 'amlbcookie=01; iPlanetDirectoryPro=<your-cookie>' \ --data '{"goto":"http://am.localtest.me:8080/openam/ui-admin/#configure/authentication"}'
Expected behaviour
HTTP 200
{
"successURL": "/ui-admin/#configure/authentication"
}
Current behaviour
HTTP 200
{
"successURL": "/openam/console"
}
Work around
Create a Validation Service instance and add your AM domain to the Valid goto URL Resources list
Code analysis
org.forgerock.openam.core.rest.IdentityResourceV2
Promise<ActionResponse, ResourceException> validateGoto(final Context context,
final ActionRequest request) {
final JsonValue jVal = request.getContent();
JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1));
try {
SSOTokenManager mgr = SSOTokenManager.getInstance();
SSOToken ssoToken = mgr.createSSOToken(getCookieFromServerContext(context));
String gotoURL = urlValidator.getRedirectUrl(ssoToken.getProperty(ISAuthConstants.ORGANIZATION),
urlValidator.getValueFromJson(jVal, RedirectUrlValidator.GOTO),
ssoToken.getProperty("successURL"), null);
The last value passed to getRedirectUrl is the request so that this can be used to compare the goto URL to check if it is relative. In this case a null is passed because we don't at this point have access to the request.