[OPENAM-5534] OAuth2/OIDC SSL connection is based on incoming request not on the site configuration Created: 11/Feb/15 Updated: 20/Nov/16 Resolved: 03/Mar/15
|Component/s:||oauth2, OpenID Connect|
|Affects Version/s:||12.0.0, 13.0.0|
|Fix Version/s:||12.0.1, 12.0.3, 13.0.0|
|Reporter:||Phill Cunnington||Assignee:||James Phillpotts|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Sprint:||Sprint 79 - Team Tesla, Sprint 80 - Team Tesla|
|Support Ticket IDs:|
When the OAuth2/OIDC code determines whether to use a SSL connection or not is based on the http scheme of the incoming request. The problem with this is that the AM instance could be a part of a site where the external connection to the site is done over SSL but the request to the AM instance is over plain HTTP.
The site configuration should be taken into consideration when determining whether to use SSL or not.
|Comment by Peter Major [X] (Inactive) [ 11/Feb/15 ]|
Site configuration cannot correctly determine the actual URL to be used for OIDC: there is fqdnMap, DNS aliases and secondary site URLs that are all URLs allowed to be used to access OpenAM (fqdnMap and DNS alias doesn't contain the protocol scheme, only the primary and secondary site URL does).
As a workaround:
|Comment by James Phillpotts [ 16/Feb/15 ]|
Discussed this with Bernhard Thalmayr and decided on the following. A new provider service is created that allows the realm to have a configured option for how to obtain the base URL (including protocol) for places that need to return a URL to the client. The provider will have:
This service will initially just be used to fix the well-known endpoints (OIDC and UMA), but will be reusable from other places that also need to return URLs, such as SAML, CREST, etc. Separate bugs should be raised for those places.
|Comment by James Phillpotts [ 03/Mar/15 ]|
Now committed to trunk at r12807.
|Comment by Peter Major [X] (Inactive) [ 20/May/15 ]|
Backported to 12.0.1 with R13895 and to 12.0.2 with R13898