Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-12207

UI login fails with non-ASCII username or password

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: OpenIDM 5.5.0, 6.5.0, 7.0.0, 6.0.0.2
    • Fix Version/s: 7.0.0, 6.0.0.6, 6.5.0.4
    • Component/s: None
    • Labels:

      Description

      The login screens for IDM set three headers for authentication:

      • X-OpenIDM-Username
      • X-OpenIDM-Password
      • X-OpenIDM-Reauth-Password

      Web browsers cannot set header-values with non-ASCII characters, and will throw an error. https://bugs.chromium.org/p/chromium/issues/detail?id=319694

      To reproduce:

      1. Create a user and give them password Păssw0rd
      2. Try to login using the password Păssw0rd
      3. Now, try logging in with the encoded password UTF-8''P%C4%83ssw0rd
      4. It works!

      We introduced support for RFC 5987 ( https://tools.ietf.org/html/rfc5987 ) encoding of username/password in OPENIDM-3187. The following JavaScript function could be used to encode any UTF-8 value set to the username/password headers:

      function encodeRFC5987Value(str) {
          return "UTF-8''" + encodeURIComponent(str).
              replace(/['()]/g, escape).
              replace(/\*/g, '%2A').
                  replace(/%(?:7C|60|5E)/g, unescape);
      }
      

      One may want to check that any HTML text-input components are set to UTF-8, if possible.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              matthias.grabiak Matthias Grabiak
              Reporter:
              travis.haagen Travis Haagen [X] (Inactive)
              QA Assignee:
              Son Nguyen Son Nguyen
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: