Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9626

Broken FacebookSocialAuthenticationService with DuplicateRequestParameterValidator

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Cannot Reproduce
    • Affects Version/s: 13.5.0
    • Fix Version/s: None
    • Component/s: authentication, oauth2
    • Labels:
    • Sprint:
      Sprint "Anise" 113 - Turing, Sprint "Baharat" 114 - Turing

      Description

      We experience some broken social login support in 13.5 for FB (as the on we play with), the redirect URI is broken like this.

      The FB login icon opens this link:

      https://myiot-am.openrock.org:8043/openam/XUI/?realm=/connectedcar#login/&goto=https%3A%2F%2Fmyiot-am.openrock.org%3A8043%2Fopenam%2Foauth2%2Fconnectedcar%2Fauthorize%3Fresponse_type%3Dcode%26scope%3Dopenid%2520profile%2520email%2520uma_protection%2520uma_authorization%2520cn%2520sn%2520givenName%2520ou%2520mail%2520postalAddress%2520departmentNumber%2520physicalDeliveryOfficeName%2520facsimileTelephoneNumber%26client_id%3Dconnectedcar%26state%3DG6K6bVkRwml_tYg6m3p9xKacoEQ%26redirect_uri%3Dhttps%253A%252F%252Fmyiot-connectedcar.openrock.org%253A2443%252Fapp%26nonce%3DpVXWs6MJxmPL4vsDZq-RTwHhRI2ZmFKdhfh_Bm_sWQA&service=FacebookSocialAuthenticationService
      

      The org.forgerock.openam.authentication.modules.oauth2.OAuth#process sets the "ORIG_URL" cookie value to something like /openam?goto=.... forwards the browser to Facebook.

      https://www.facebook.com/login.php?skip_api_login=1&api_key=XXXXXXXXXX&signed_next=1&next=https%3A%2F%2Fwww.facebook.com%2Fv2.5%2Fdialog%2Foauth%3Fredirect_uri%3Dhttps%253A%252F%252Fmyiot-am.openrock.org%253A8043%252Fopenam%252Foauth2c%252FOAuthProxy.jsp%26state%3Dixp58qtazlguztmx74q5l52ktqv0k2q%26scope%3Dpublic_profile%252Cemail%26response_type%3Dcode%26client_id%3DXXXXXXXXXX%26ret%3Dlogin%26logger_id%3Dc376287a-6c1a-4fac-afa6-8bf46e356021&cancel_url=https%3A%2F%2Fmyiot-am.openrock.org%3A8043%2Fopenam%2Foauth2c%2FOAuthProxy.jsp%3Ferror%3Daccess_denied%26error_code%3D200%26error_description%3DPermissions%2Berror%26error_reason%3Duser_denied%26state%3Dixp58qtazlguztmx74q5l52ktqv0k2q%23_%3D_&display=page&locale=en_EN&logger_id=c376287a-6c1a-4fac-afa6-8bf46e356021
      

      When the Facebook redirects back to OAuthProxy.jsp the org.forgerock.openam.authentication.modules.oauth2.OAuthProxy combines the stored value with the query parameters code=…&state=... and redirects to /openam?goto=....

      AS the OPENAM-9597 issue is resolved the combined URL contains the state parameter twice which cause the problem with org.forgerock.oauth2.core.DuplicateRequestParameterValidator

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                phillcunnington Phill Cunnington
                Reporter:
                laszlo Laszlo Hordos
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: