Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18153

OpenIdConnect node call to well-known endpoint does not support proxy settings



    • Rank:
    • AM Sustaining Sprint 87, AM Sustaining Sprint 88, AM Sustaining Sprint 89
    • 2
    • Yes
    • No
    • Yes and I used the same an in the description



      When using a tree with OpenID Connect node and OpenID Connect Validation type set to Well known URL, the call to the well-known/openid-configuration endpoint is not proxied, if that is configured using either org.forgerock.openam.httpclienthandler.system.proxy.enabled or org.forgerock.openam.httpclienthandler.system.proxy.uri (OPENAM-17493) and org.forgerock.openam.httpclienthandler.system.nonProxyHosts (OPENAM-17608).

      Reproduction steps:

      Summary: As per OPENAM-17493, except that in the tree on the SP, use the OpenIDConnect node, not the Social OAuth2 node, then define the OpenID Connect Validation type to be Well known URL and set the well-known endpoint of the IdP for the value.

      1. Deployed 2 AM servers, http://openam.amtest2.com:8080/access (IdP/OAuth2Provider) and http://sp.amtest2.com:7080/access (the SP/OAuth2Client). Used embedded config and user store for both and port ranges of 50xxx for the IdP and 57xxx for the SP.
      2. In SP, configured the following in /opt/tomcat-9.0.31/bin/setenv.sh: JAVA_OPTS="-Dhttp.proxyHost=openam.amtest2.com -Dhttp.proxyPort=80 -Dhttp.proxyUser=demo -Dhttp.proxyPassword=test123 -Dhttps.proxyHost=openam.amtest2.com -Dhttps.proxyPort=443 -Dhttps.proxyUser=demo -Dhttps.proxyPassword=test1234 -Dorg.forgerock.allow.http.client.debug=true" (Note: Last value enables logging of debug output from http client in OtherLogging).
      3. Added the snippet at the bottom of this post to /etc/httpd/conf/httpd.conf:
      4. Then cd /etc/httpd
      5. htpasswd -c password.file demo (Entered and confirmed password of test123)
      6. Created group.file also in same folder. Then added following contents: usergroup: demo
      7. On IdP (openam.amtest2.com:8080), top level realm, created OAuth2 provider
      8. Then created OAuth2 client, testoauth, secret password, scopes openid and profile. Redirect url: http://sp.amtest2.com:7080/access
      9. On SP (sp.amtest2.com:7080), top level realm, created tree called testsp. Configuration of tree was Start - OpenID Connect node, account exists - success, no account exists - Failure
      10. The OpenID Connect settings were as defined at the bottom of this post.
      11. Restarted SP.
      12. Used http://sp.amtest2.com:7080/access?service=testsp  to perform the login. Verified I was redirected to IdP, logged in as demo, was asked for consent, and was then redirected back top SP and shown User profile page.
      13. On SP, in Deployment -> Servers -> server -> Advanced settings, added:org.forgerock.openam.httpclienthandler.system.proxy.enabled = true
      14. Restarted SP.
      15. Used Logback.jsp to increase logging for OtherLogging to message level.
      16. Repeated the login flow (step 13). Logged in as demo at IdP, provided consent and was redirectred back to SP where I saw a Login error.
      17. Reviewed OtherLogging file.

      Expected behaviour:

      Request is sent via proxy and proxy authentication is included.

      Current behaviour

      Could see request being sent for well-known endpoint direct to openam.amtest2.com:8080 server, not via proxy. Also, no Proxy-Authorization header was added:


      o.a.h.i.n.c.ManagedNHttpClientConnectionImpl: 2021-07-26 17:00:03,622: Thread[I/O dispatcher 3]: TransactionId[]
      DEBUG: http-outgoing-52<->[ACTIVE][rw:w]: 175 bytes written
      o.a.h.wire: 2021-07-26 17:00:03,622: Thread[I/O dispatcher 3]: TransactionId[]
      DEBUG: http-outgoing-52 >> "GET /access/oauth2/.well-known/openid-configuration HTTP/1.1[\r][\n]"


      OAuth2 Node settings on SP:

      Client ID: testoauth
      Client Secret: password
      Authentication endpoint: http://openam.amtest2.com:8080/access/oauth2/authorize
      Access token endpoint: http://openam.amtest2.com:8080/access/oauth2/access_token
      User profile service URL: http://openam.amtest2.com:8080/access/oauth2/userinfo
      OAuth2 scope: profile openid
      Scope delimiter: Leave blank, uses default of space character. But then throws an NPE in flight, so need to set a value.
      Redirect URL: http://sp.amtest2.com:7080/access
      Social Provider: oauth
      Auth ID Key: name
      Use Basic Auth: Enabled
      Account Provider: org.forgerock.openam.authentication.modules.common.mapping.DefaultAccountProvider
      Account Mapper: org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper
      Account Mapper configuration: name=uid
      Attribute mapper configuration: given_name=givenName, name=uid, family_name=sn, email=mail
      Save attributes in session: On
      Token issuer: http://openam.amtest2.com:8080/access/oauth2 
      OpenID Connect Validation Type: Well Known URL OPenID Connect Validation Value: http://openam.amtest2.com:8080/access/oauth2/.well-known/openid-configuration

      Configuration added to bottom of httpd.conf:

      # OPENAM-17493 Proxy with authentication configuration
      #LoadModule proxy_module modules/mod_proxy.so
      #LoadModule proxy_http_module modules/mod_proxy_http.so
      ProxyRequests On
      ProxyVia On
      <Proxy *>
          Order deny,allow
          Allow from all
          AuthType Basic
          AuthName "Password Required"
          AuthUserFile password.file
          AuthGroupFile group.file
          Require group usergroup


          Issue Links



              lawrence.yarham Lawrence Yarham
              lawrence.yarham Lawrence Yarham
              0 Vote for this issue
              3 Start watching this issue