Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-15196

Fullstack with social IDP provisioning - arbitrary redirect_uri value is not respected

    Details

    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      3
    • Sprint:
      Team UI - 2020.12
    • Support Ticket IDs:

      Description

      Problem

      In an AM/IDM 6.5 fullstack environment where social authentication is used and provisioning is delegated to IDM, if an arbitrary redirect_uri is sent during the initiation of the flow then the flow completes but instead of being directed to the redirect_uri value the user is instead directed to the IDM 6.5 end-user UI.

      This is reportedly a regression in behaviour from that in IDM 5.x.

      To reproduce

      Initial setup - follow the documentation:

      1). Set up IDM 6.5.0.4 (also tested with 6.5.0.2) and AM 6.5.2.3

      2). Configure IDM and AM for fullstack and then configure for social IDP so that IDM is responsible for account creation.  Use Google for this scenario.  For user registration don't enable email verification or KBA options to keep the flow simple although these options should be verified as part of the resolution to this issue.

      3). Verify the flow works as expected: access IDM, be redirected to AM, choose the Google icon, authentication to Google and then the flow should end up on the IDM end-user UI where the account is provisioned with the details from Google.

      Problem verification:

      1). Instead of initiating the flow from the IDM UI, paste the following URL into the browser (adjusting where necessary):

      http://openam.example.com:8080/am6523/oauth2/authorize?nonce=csavirrg0ix18vqfe20p0p8yqsirg9z&response_type=code&client_id=openidm&redirect_uri=http://openam.example.com:8080/test&scope=openid&code_challenge=PqpR38P1ZmgYMCIgfQty7zFOABIL4Fcz7mwMCItJO5k&code_challenge_method=S256&state=j20f81xv6opjhdij0g8rq4siz5rfwvu 

      ...note the presence of the arbitrary redirect_uri. 

      2). On the presented AM login page again choose the Google option and watch as the flow completes however instead of ending at the arbitrary redirect specified in the initial request the flow again ends on the end-user UI which is the value set in the authentication.json file as:

      "redirectUri" : "http://openidm.example.com:8081", 

        Attachments

          Activity

            People

            • Assignee:
              victor.ortega Victor Ortega
              Reporter:
              andy.itter Andy Itter
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: