Hello IBM folks,
our application, which is deployed on a traditional WebSphere 9 issues a HTTP authorize request to an OpenID provider (ForgeRock OpenAM). This request works, when I used the protocoll HTTP, but it fails when I user HTTP
S. The OpenID authorize endpoint returns the parameters in the header. I am interested in the authorization code, which is returned as part of the redirect URI (header field
Location).
When I use
HTTP, the situation looks like this:
The
HttpURLConnection class is
sun.net.www.protocol.http.HttpURLConnectionThe HTTP response code is
302The method
HttpURLConnection.getHeaderField("Location") returns "https://localhost:9443/oidcclient/KISS_RP?
code=Mc9qbvT9iX70EBS1ZU8Wt9Ttjbo&iss=http%3A%2F%2Fopenam.test-server.ag%3A8080%2Fopenam%2Foauth2%2FKissRealm&state=5rA5nOpzdu70LRTBfSk5HEAgQfg2S52u2uiZOMQ9g_1652942447833&client_id=KISS"
When I use
HTTPS, the situation looks like this:
The
HttpURLConnection class is
com.ibm.net.ssl.www2.protocol.https.bThe HTTP response code is
302The method
HttpURLConnection.getHeaderField("Location") returns "http://was-server:9080/bayernlabo/Home.part?$event=start"
The method
HttpURLConnection.toString() returns "com.ibm.net.ssl.www2.protocol.https.e:https://was-server:9443/oidcclient/KISS_RP?
code=rM2TqAnyd_Ooz7Ly0dfYKzFArK4&iss=https%3A%2F%2Fopenam.test-server.ag%3A8443%2Fopenam%2Foauth2%2FKissRealm&state=0J8v34yhZvGc2ag5N1ZFshVbScdDGDoXhakBmxpU_1652947980296&client_id=KISS"
So, with HTTP I get the auhthorization code in the
Location as expected. But with HTTPS the
Location contains the URL of the protected web page, which initiated the authorization code flow. However as you can see in the string representation of the connection class, the authorization code is there, too.
The question is now, how do I get the authorization code correctly for HTTP
and HTTPS? Shouldn't the authorization code be part of the
Location for both protocols?
Kind regards
Thomas
------------------------------
Thomas Mayr
------------------------------