Currently, OpenAM JSON REST is using Restlet API to do redirection. And this redirection uses Reference class that requires base reference(scheme://host:port).
http://restlet.com/technical-resources/restlet-framework/javadocs/2.2/osgi/api/org/restlet/data/Reference.html

    protected void doCatch(Throwable throwable) {
        if (throwable instanceof OAuthProblemException) {
            OAuthProblemException exception = (OAuthProblemException) throwable;

            if (exception.getStatus().equals(Status.REDIRECTION_TEMPORARY)){
                Redirector redirector =
                        new Redirector(new Context(), exception.getRedirectUri().toString(), Redirector.MODE_CLIENT_PERMANENT);
                redirector.handle(getRequest(), getResponse());
                return;

We can change OpenAMIdentityVerifier in a way that it will use original Reference, but if users had loadbalancer as well as reverse proxy, then there isn't much OpenAM can do since HttpServletRequest objects holds information from last proxy which is running in HTTP and original Reference will use whatever scheme + hostname reverse proxy was using.

Jonathan Thomas This is still a problem :

Daemon Thread [http-bio-18080-exec-29] (Suspended (breakpoint at line 566 in ResourceOwnerSessionValidator))	
	owns: SocketWrapper<E>  (id=317)	
	ResourceOwnerSessionValidator.getAuthURL(HttpServletRequest) line: 566	
	ResourceOwnerSessionValidator.buildDefaultLoginUrl(OAuth2Request, String, String, AuthenticationMethod, String) line: 499	
	ResourceOwnerSessionValidator.authenticationRequired(OAuth2Request) line: 479	
	ResourceOwnerSessionValidator.validate(OAuth2Request) line: 249	
	AuthorizationService.authorize(OAuth2Request) line: 173	
	AuthorizeResource.authorize() line: 114	

And the code is :

    private String getAuthURL(HttpServletRequest request) {
        return request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort()
                + request.getContextPath() + "/UI/Login";
    }

You can workaround the problem by specifying "ProxyPreserveHost on" in Apache Reverse Proxy http.conf, but otherwise it will display the issue.
Also, it is a little bit concerning that we are constructing hard coded login URI.

Another workaround is to define "Custom Login URL Template" on [Advanced] tab of under OAuth2Provider service

I don't see this fixed in OpenAM 13.5.2-M6 Build 27646dc847 (2017-September-22 10:32) 

Steps to reproduce:

1. install oauth2 service on OpenAM and add site with url path.to.apache:80/openam
2. install apache as reverse proxy for OpenAM
3. curl http://path.to.apache:80/openam/oauth2/authorize

Config of reverse proxy:

<VirtualHost *:80>
    ServerName path.to.apache
    #ProxyPreserveHost On

    ProxyPass / http://amqa-clone74.test.forgerock.com:8080/
    ProxyPassReverse / http://amqa-clone74.test.forgerock.com:8080/

</VirtualHost>

And response is:

            pageData = {
                realm : "/",
                baseUrl: "http://amqa-clone74.test.forgerock.com:8080/openam/XUI",
                error: {
                    description: "Missing parameter, \'client_id\'",
                    message: "invalid_request"
                }
            }

Ľubomír Mlích Thank you for testing. Wondering if you have assigned "Basic URL" service to your realm and configured fixed URL that points to proxy?

Sachiko Wallace Thanks for help with testing. When I set Basic URL service as you suggest, I see redirect to the proxy in 13.5.1 and in 13.5.2.-M6 - I can't reproduce the bug this way.

Ľubomír Mlích Could you give me link to the binary please?

venu alla This may not be a best place to post questions as it sounds like it's to do with how you've setup your OpenAM. Could you ping me on hipchat when you are available and provide more details on how you've setup your OpenAM?

Sachiko Wallace here:
13.5.2-M6
13.5.1

Was left at reopened - looks to be resolved.