Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9597

Goto URL with multiple query string parameters incorrectly decoded

    Details

    • Sprint:
      Sprint "Anise" 113 - Turing, Sprint "Baharat" 114 - Turing
    • Support Ticket IDs:

      Description

      OpenAM needs to be able to redirect an unauthenticated user to a specific URL after they authenticate. This URL may contain multiple query string parameters, such as "http://www.google.com/?foo=bar&hello=world". This URL it is expected to be encoded and passed into the XUI as a URL like so:

      /openam/XUI/#login/&goto=http%3A%2F%2Fwww.google.com%2F%3Ffoo%3Dbar%26hello%3Dworld

      The REST endpoint "/openam/json/authenticate" also expects to receive this URL as an encoded parameter. This is used to start the authentication process, and the goto URL provided to the authentication process will be retained throughout the lifetime of the session that will be created.

      The problem is that the encoded value passed into XUI is being decoded before it is passed to the authenticate endpoint. This is especially problematic when URLs contain multiple parameters, as it causes the URL-splitting logic to incorrectly parse the subsequent parameters of the goto URL as being additional parameters to the authenticate endpoint (unrelated to the goto URL). For example, the above would be passed in like so:

      /openam/json/authenticate?goto=http://www.google.com/?foo=bar&hello=world

      Thus, the value for the "goto" parameter would only be "http://www.google.com/?foo=bar", and there would be another (likely ignored) parameter "hello=world" treated separately.

      The expected behavior is for the XUI to submit this goto URL encoded, like so:

      /openam/json/authenticate?goto=http%3A%2F%2Fwww.google.com%2F%3Ffoo%3Dbar%26hello%3Dworld

      This is especially troublesome for the OAuth flow. In that case, the "authorize" endpoint redirects unauthenticated users to the XUI login page, with a URL like so:

      /openam/XUI/#login/&realm=%2F&goto=http%3A%2F%2Frich.example.com%3A8080%2Fopenam%2Foauth2%2Fauthorize%3Fresponse_type%3Dcode%26scope%3Dopenid%2520profile%2520email%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%253A8443%252FoauthReturn.html%26state%3Dlogin%2526provider%253Dopenam%2526redirect_uri%253Dhttps%253A%252F%252Flocalhost%253A8443%252FoauthReturn.html%26client_id%3Dopenidm

      However when the XUI loads, it submits the goto URL it was provided to the "authenticate" endpoint without retaining the encoding, so that the authenticate endpoint only sees a goto URL with a value like so:

      http://rich.example.com:8080/openam/oauth2/authorize?response_type=code

      The remaining, critically-important OAuth parameters are missing from the URL, so that when the authentication process completes the authorization endpoint is unable to process the request and the user can't return to their requested application (the RP) with the authorization code.

        Attachments

          Issue Links

          caused

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-10752 Social Authentication in a subrealm without parameters causes loop in 13.5.1-SNAPSHOT

          • Major - Major loss of function.
          • Closed
          depends on

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-9619 URL Parameters are ignored during login

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-9630 Oauth2 authorise endpoint not encoding goto url causing query params to be lost

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-9662 XUI does not correctly set link to return to login page in CDSSO deployments

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-9664 "Return to Login Page" link after logout does not encode the goto URL

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-5547 Agent behaviour when appending goto= to LoginURLs is not compatible with XUI login URL

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-9664 "Return to Login Page" link after logout does not encode the goto URL

          • Major - Major loss of function.
          • Closed
          is required by

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-9626 Broken FacebookSocialAuthenticationService with DuplicateRequestParameterValidator

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-9719 session upgrade fails in combination with SAML-based SSO

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. OPENAM-9664 "Return to Login Page" link after logout does not encode the goto URL

          • Major - Major loss of function.
          • Closed

            Activity

              People

              • Assignee:
                julian.kigwana@forgerock.com Julian Kigwana [X] (Inactive)
                Reporter:
                jake.feasel Jake Feasel
                QA Assignee:
                Filip Kubáň [X] (Inactive)
              • Votes:
                1 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: