[OPENAM-5130] OAuth2 authorization will redirect using scheme://hostname:port of OpenAM server rather than reverse proxy Created: 25/Nov/14  Updated: 23/Jan/20  Resolved: 23/Jan/20

Status: Resolved
Project: OpenAM
Component/s: oauth2
Affects Version/s: 11.0.2
Fix Version/s: 14.5.0, 14.1.2

Type: Bug Priority: Major
Reporter: Sachiko Wallace Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to OPENAM-5237 OAuth2 authorization consent page use... Resolved
relates to OPENAM-11157 Oauth2/OIDC Authentication redirect g... Resolved
is related to OPENAM-3659 OAuth2 auth module uses HttpServletRe... Resolved
is related to OPENAM-3660 RedirectCallbackHander uses HttpServl... Resolved
Rank: 1|hzowxj:
Sprint: AM Sustaining Sprint 41, AM Sustaining Sprint 42
Story Points: 3
Needs backport:
Support Ticket IDs:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


When accessing /oauth2/authorize without tokenID, OpenAM server will try to redirect the user to login page using scheme://hostname:port of OpenAM server rather than reverse proxy

Daemon Thread [http-18080-1] (Suspended (breakpoint at line 208 in OpenAMIdentityVerifier))
OpenAMIdentityVerifier.getAuthURL(Request) line: 208
OpenAMIdentityVerifier.redirect(Request, Response) line: 155
OpenAMIdentityVerifier.authenticate(Request, Response) line: 140
OpenAMIdentityVerifier.verify(Request, Response) line: 86
AuthorizeServerResource(AbstractFlow).getAuthenticatedResourceOwner() line: 394
AuthorizeServerResource.represent() line: 109
NativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not available [native method]
NativeMethodAccessorImpl.invoke(Object, Object[]) line: 57
DelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 43
Method.invoke(Object, Object...) line: 606
AuthorizeServerResource(ServerResource).doHandle(AnnotationInfo, Variant) line: 506
AuthorizeServerResource(ServerResource).get(Variant) line: 707
AuthorizeServerResource(ServerResource).doHandle(Variant) line: 589
AuthorizeServerResource(ServerResource).doNegotiatedHandle() line: 649
AuthorizeServerResource(ServerResource).doConditionalHandle() line: 348
AuthorizeServerResource(AbstractFlow).doConditionalHandle() line: 166
AuthorizeServerResource(ServerResource).handle() line: 952
OAuth2FlowFinder(Finder).handle(Request, Response) line: 246

Comment by Sachiko Wallace [ 07/Dec/14 ]

Currently, OpenAM JSON REST is using Restlet API to do redirection. And this redirection uses Reference class that requires base reference(scheme://host:port).

    protected void doCatch(Throwable throwable) {
        if (throwable instanceof OAuthProblemException) {
            OAuthProblemException exception = (OAuthProblemException) throwable;

            if (exception.getStatus().equals(Status.REDIRECTION_TEMPORARY)){
                Redirector redirector =
                        new Redirector(new Context(), exception.getRedirectUri().toString(), Redirector.MODE_CLIENT_PERMANENT);
                redirector.handle(getRequest(), getResponse());

We can change OpenAMIdentityVerifier in a way that it will use original Reference, but if users had loadbalancer as well as reverse proxy, then there isn't much OpenAM can do since HttpServletRequest objects holds information from last proxy which is running in HTTP and original Reference will use whatever scheme + hostname reverse proxy was using.

Comment by Sachiko Wallace [ 24/Aug/17 ]

Jonathan Thomas This is still a problem :

Daemon Thread [http-bio-18080-exec-29] (Suspended (breakpoint at line 566 in ResourceOwnerSessionValidator))	
	owns: SocketWrapper<E>  (id=317)	
	ResourceOwnerSessionValidator.getAuthURL(HttpServletRequest) line: 566	
	ResourceOwnerSessionValidator.buildDefaultLoginUrl(OAuth2Request, String, String, AuthenticationMethod, String) line: 499	
	ResourceOwnerSessionValidator.authenticationRequired(OAuth2Request) line: 479	
	ResourceOwnerSessionValidator.validate(OAuth2Request) line: 249	
	AuthorizationService.authorize(OAuth2Request) line: 173	
	AuthorizeResource.authorize() line: 114	

And the code is :

    private String getAuthURL(HttpServletRequest request) {
        return request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort()
                + request.getContextPath() + "/UI/Login";

You can workaround the problem by specifying "ProxyPreserveHost on" in Apache Reverse Proxy http.conf, but otherwise it will display the issue.
Also, it is a little bit concerning that we are constructing hard coded login URI.

Comment by Sachiko Wallace [ 24/Aug/17 ]

Another workaround is to define "Custom Login URL Template" on [Advanced] tab of under OAuth2Provider service

Comment by Ľubomír Mlích [ 26/Sep/17 ]

I don't see this fixed in OpenAM 13.5.2-M6 Build 27646dc847 (2017-September-22 10:32) 

Steps to reproduce:

  1. install oauth2 service on OpenAM and add site with url path.to.apache:80/openam
  2. install apache as reverse proxy for OpenAM
  3. curl http://path.to.apache:80/openam/oauth2/authorize

Config of reverse proxy:

<VirtualHost *:80>
    ServerName path.to.apache
    #ProxyPreserveHost On

    ProxyPass / http://amqa-clone74.test.forgerock.com:8080/
    ProxyPassReverse / http://amqa-clone74.test.forgerock.com:8080/


And response is:

            pageData = {
                realm : "/",
                baseUrl: "http://amqa-clone74.test.forgerock.com:8080/openam/XUI",
                error: {
                    description: "Missing parameter, \'client_id\'",
                    message: "invalid_request"
Comment by Sachiko Wallace [ 26/Sep/17 ]

Ľubomír Mlích Thank you for testing. Wondering if you have assigned "Basic URL" service to your realm and configured fixed URL that points to proxy?

Comment by Ľubomír Mlích [ 27/Sep/17 ]

Sachiko Wallace Thanks for help with testing. When I set Basic URL service as you suggest, I see redirect to the proxy in 13.5.1 and in 13.5.2.-M6 - I can't reproduce the bug this way.

Comment by Sachiko Wallace [ 03/Oct/17 ]

Ľubomír Mlích Could you give me link to the binary please?

Comment by Sachiko Wallace [ 03/Oct/17 ]

venu alla This may not be a best place to post questions as it sounds like it's to do with how you've setup your OpenAM. Could you ping me on hipchat when you are available and provide more details on how you've setup your OpenAM?

Comment by Ľubomír Mlích [ 04/Oct/17 ]

Sachiko Wallace here:

Comment by Jonathan Thomas [ 23/Jan/20 ]

Was left at reopened - looks to be resolved.

Generated at Sun Feb 28 00:09:45 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.