[OPENAM-11935] redirect_uri should be required in the OAuth2 authorization request Created: 11/Oct/17  Updated: 30/Jul/19  Resolved: 03/Oct/18

Status: Resolved
Project: OpenAM
Component/s: None
Affects Version/s: 13.0.0, 13.5.1, 14.1.1
Fix Version/s: 13.5.3, 6.5.0, 6.0.1, 5.5.2

Type: Bug Priority: Major
Reporter: Aaron Haskins Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Sprint: AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47, AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51, AM Sustaining Sprint 52, AM Sustaining Sprint 53, AM Sustaining Sprint 54, AM Sustaining Sprint 55
Story Points: 3
Needs backport:
Yes
Support Ticket IDs:
Needs QA verification:
No
Functional tests:
Yes
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

If an OAuth2 agent has less than or more than one redirect_uri configured, OpenAM server will return "invalid_request Missing parameter: redirect_uri" when accessing the /authorize endpoint without specifying a redirect_uri parameter in the request.

If an OAuth2 agent has one redirect_uri configured, the authorization server will return an authorization code upon successful authentication but if the client attempts to use this authorization code to get an access token, without specifying a redirect_uri parameter in the request, OpenAM returns "invalid_request Missing parameter: redirect_uri".

How to reproduce the issue

Details steps outlining how to recreate the issue (remove this text)

  1. Configure OAuth2 Provider via Common Tasks
  2. Create OAuth2 agent
  3. Set up 0/1/2 redirect_uri on the agent profile
  4. Send request to /authorize endpoint without specifying redirect_uri (if less or more than one, it will error here)
  5. If no error returned at the last step, send request to /access_token using the authorization code returned in the previous step and the error will return here.
Expected behaviour
OpenAM seems to be expecting a redirect_uri to be specified in the request so it should return an error in the /authorize response if the redirect_uri parameter is not set in the request.
Current behaviour
"Missing parameter" error returns at different stages of the process, it is inconsistent.

Work around

None

Code analysis

None



 Comments   
Comment by Peter Major [X] (Inactive) [ 01/Dec/17 ]

The ticket summary says request_uri, the description talks about redirect_uri. Which is it?

Comment by Aaron Haskins [ 01/Dec/17 ]

Summary now updated to match the description.

Comment by Lawrence Yarham [ 19/Sep/18 ]

When reproducing this bug I noticed the following (which is expected behaviour), so am just capturing here for reference:

If I perform the authorize request with no redirect_uri, e.g.

https://openam.example.com:8443/openam/oauth2/authorize?response_type=code&scope=openid profile&client_id=testoauth

and then perform the access_token request including the redirect_uri param, e.g.

curl -k --request POST "https://openam.example.com:8443/openam/oauth2/access_token" -H 'content-type: application/x-www-form-urlencoded' --data "code=qtZ6jfY0yXtpiRYnuI1JSi9g_VM&client_id=testoauth&grant_type=authorization_code&client_secret=<password>"

then the access_token endpoint fails because the redirect_uri under which it was issued does not match that being used for the lookup.  The response received is a 400 with the following:

 

 {"error_description":"The provided access grant is invalid, expired, or revoked.","error":"invalid_grant"}  

and in the OAuth2Provider logs, the following is seen

ERROR: Authorization code was issued with a different redirect URI, <authorization code>. Expected, null, actual, <the configured redirect uri on the OAuth2 client>

With the fix for this JIRA in place, performing the request to the access_token endpoint with no redirect_uri (when only one redirect uri is configured on the client) succeeds and enables the access_token to be retrieved successfully (assuming that the authorize endpoint was also called with no redirect_uri present. 

Similarly, requesting the authorize endpoint and including a redirect_uri and then using the same redirect_uri on the subsequent access_token call also enables the access_token to be retrieved successfully.

Comment by Lawrence Yarham [ 04/Oct/18 ]

The backports for 5.5.x and 13.5.x resolve the second para of the reported issue, i.e.:

If an OAuth2 agent has one redirect_uri configured, the authorization server will return an authorization code upon successful authentication but if the client attempts to use this authorization code to get an access token, without specifying a redirect_uri parameter in the request, OpenAM returns "invalid_request Missing parameter: redirect_uri".

However, for the first para, there is an existing and related issue that these backports were not able to address:

If an OAuth2 agent has less than or more than one redirect_uri configured, OpenAM server will return "invalid_request Missing parameter: redirect_uri" when accessing the /authorize endpoint without specifying a redirect_uri parameter in the request.

If I configure the client to have 2 redirect uris, then perform an authorize request with no redirect uri included, this does not immediately fail with a 'missing parameter' failure as it does in 6.0.x and latest master.  Instead the user is authenticated (if not already) and the consent page is shown.  Once the user has given consent, the error message 'Invalid request Failed to resolve the redirect URI' is shown.  This is a limitation of this backport fix as the changes in 6.0.x mean that a a number of other dependencies would also have to be backported, as a result of changes within the OAuth2 request validation code.

Generated at Tue Sep 22 12:25:55 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.