When using a tree with OpenID Connect node and OpenID Connect Validation type set to Well known URL, the call to the well-known/openid-configuration endpoint is not proxied, if that is configured using either org.forgerock.openam.httpclienthandler.system.proxy.enabled or org.forgerock.openam.httpclienthandler.system.proxy.uri (
OPENAM-17493) and org.forgerock.openam.httpclienthandler.system.nonProxyHosts ( OPENAM-17608).
Summary: As per
OPENAM-17493, except that in the tree on the SP, use the OpenIDConnect node, not the Social OAuth2 node, then define the OpenID Connect Validation type to be Well known URL and set the well-known endpoint of the IdP for the value.
- Deployed 2 AM servers, http://openam.amtest2.com:8080/access (IdP/OAuth2Provider) and http://sp.amtest2.com:7080/access (the SP/OAuth2Client). Used embedded config and user store for both and port ranges of 50xxx for the IdP and 57xxx for the SP.
- In SP, configured the following in /opt/tomcat-9.0.31/bin/setenv.sh: JAVA_OPTS="-Dhttp.proxyHost=openam.amtest2.com -Dhttp.proxyPort=80 -Dhttp.proxyUser=demo -Dhttp.proxyPassword=test123 -Dhttps.proxyHost=openam.amtest2.com -Dhttps.proxyPort=443 -Dhttps.proxyUser=demo -Dhttps.proxyPassword=test1234 -Dorg.forgerock.allow.http.client.debug=true" (Note: Last value enables logging of debug output from http client in OtherLogging).
- Added the snippet at the bottom of this post to /etc/httpd/conf/httpd.conf:
- Then cd /etc/httpd
- htpasswd -c password.file demo (Entered and confirmed password of test123)
- Created group.file also in same folder. Then added following contents: usergroup: demo
- On IdP (openam.amtest2.com:8080), top level realm, created OAuth2 provider
- Then created OAuth2 client, testoauth, secret password, scopes openid and profile. Redirect url: http://sp.amtest2.com:7080/access
- On SP (sp.amtest2.com:7080), top level realm, created tree called testsp. Configuration of tree was Start - OpenID Connect node, account exists - success, no account exists - Failure
- The OpenID Connect settings were as defined at the bottom of this post.
- Restarted SP.
- Used http://sp.amtest2.com:7080/access?service=testsp to perform the login. Verified I was redirected to IdP, logged in as demo, was asked for consent, and was then redirected back top SP and shown User profile page.
- On SP, in Deployment -> Servers -> server -> Advanced settings, added:org.forgerock.openam.httpclienthandler.system.proxy.enabled = true
- Restarted SP.
- Used Logback.jsp to increase logging for OtherLogging to message level.
- Repeated the login flow (step 13). Logged in as demo at IdP, provided consent and was redirectred back to SP where I saw a Login error.
- Reviewed OtherLogging file.
Request is sent via proxy and proxy authentication is included.
Could see request being sent for well-known endpoint direct to openam.amtest2.com:8080 server, not via proxy. Also, no Proxy-Authorization header was added:
OAuth2 Node settings on SP:
Configuration added to bottom of httpd.conf: