WebSphere Application Server & Liberty

 View Only
  • 1.  OpenID authorize request not working with HTTPS

    Posted Thu May 19, 2022 05:05 AM
    Hello IBM folks,

    our application, which is deployed on a traditional WebSphere 9 issues a HTTP authorize request to an OpenID provider (ForgeRock OpenAM). This request works, when I used the protocoll HTTP, but it fails when I user HTTPS. The OpenID authorize endpoint returns the parameters in the header. I am interested in the authorization code, which is returned as part of the redirect URI (header field Location).

    When I use HTTP, the situation looks like this:
    The HttpURLConnection class is sun.net.www.protocol.http.HttpURLConnection
    The HTTP response code is 302
    The method HttpURLConnection.getHeaderField("Location") returns "https://localhost:9443/oidcclient/KISS_RP?code=Mc9qbvT9iX70EBS1ZU8Wt9Ttjbo&iss=http%3A%2F%2Fopenam.test-server.ag%3A8080%2Fopenam%2Foauth2%2FKissRealm&state=5rA5nOpzdu70LRTBfSk5HEAgQfg2S52u2uiZOMQ9g_1652942447833&client_id=KISS"

    When I use HTTPS, the situation looks like this:
    The HttpURLConnection class is com.ibm.net.ssl.www2.protocol.https.b
    The HTTP response code is 302
    The method HttpURLConnection.getHeaderField("Location") returns "http://was-server:9080/bayernlabo/Home.part?$event=start"
    The method HttpURLConnection.toString() returns "com.ibm.net.ssl.www2.protocol.https.e:https://was-server:9443/oidcclient/KISS_RP?code=rM2TqAnyd_Ooz7Ly0dfYKzFArK4&iss=https%3A%2F%2Fopenam.test-server.ag%3A8443%2Fopenam%2Foauth2%2FKissRealm&state=0J8v34yhZvGc2ag5N1ZFshVbScdDGDoXhakBmxpU_1652947980296&client_id=KISS"

    So, with HTTP I get the auhthorization code in the Location as expected. But with HTTPS the Location contains the URL of the protected web page, which initiated the authorization code flow. However as you can see in the string representation of the connection class, the authorization code is there, too.

    The question is now, how do I get the authorization code correctly for HTTP and HTTPS? Shouldn't the authorization code be part of the Location for both protocols?

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------


  • 2.  RE: OpenID authorize request not working with HTTPS

    Posted Thu May 19, 2022 05:18 AM
    I forgot to say, that the application needs the complete redirect URI, to redirect the user agent to the OpenID relying party configured in the WebSphere application server. So the aouthorization code alone is not sufficient! Bur the string representation of the HTTPS connection contains this URI as well.

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------



  • 3.  RE: OpenID authorize request not working with HTTPS

    Posted Thu May 19, 2022 09:32 AM
    When I call the authorize endpoint with CURL, it lools like this:

    Thomas.Mayr@C02XH0FVJGH5 Logs % curl --dump-header - --request POST -k \
    'https://openam.test-server.ag:8443/openam/oauth2/KissRealm/authorize' \
    --header 'Cookie: iPlanetDirectoryPro=mWjAbBBRuzwqJs6mWAAMpv9pyDM.*AAJTSQACMDEAAlNLABw2Slk1OEhLRmJSUWVPZFNUQkF5cC9iRUxhR2M9AAR0eXBlAANDVFMAAlMxAAA.*' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data 'response_type=code' \
    --data 'client_id=KISS' \
    --data 'scope=openid profile' \
    --data 'csrf=mWjAbBBRuzwqJs6mWAAMpv9pyDM.*AAJTSQACMDEAAlNLABw2Slk1OEhLRmJSUWVPZFNUQkF5cC9iRUxhR2M9AAR0eXBlAANDVFMAAlMxAAA.*' \
    --data 'redirect_uri=https://localhost:9443/oidcclient/KISS_RP' \
    --data 'state=abc123' \
    --data 'decision=allow'
    HTTP/1.1 302 
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Pragma: no-cache
    Cache-Control: no-store
    Date: Thu, 19 May 2022 13:27:36 GMT
    Accept-Ranges: bytes
    Location: https://localhost:9443/oidcclient/KISS_RP?code=8IkaUUOP5D0BULt3EeKdzrLaqTI&iss=https%3A%2F%2Fopenam.test-server.ag%3A8443%2Fopenam%2Foauth2%2FKissRealm&state=abc123&client_id=KISS
    Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
    Content-Length: 0​

    As you can see, the OpenID provider returns the correct redirection URI also wit HTTPS!

    Kind regards
    Thomas




    ------------------------------
    Thomas Mayr
    ------------------------------



  • 4.  RE: OpenID authorize request not working with HTTPS

    Posted Thu May 19, 2022 09:58 AM
    I assume that this is a direct connection to the Authorization Endpoint Url in your application, and the only difference is that http:// was used to connect to the authorization endpoint vs https:// (the latter didn't work as expected).  And I would assume that the OIDC provider endpoint would know to return to a specific appserver (that is the /oidcclient/ application), but does it even do this in the https:// example (seems the location is pointing elsewhere, to an app URL, and the protocol is now http)

    ------------------------------
    MICHAEL SCHNEIDER
    ------------------------------



  • 5.  RE: OpenID authorize request not working with HTTPS

    Posted Thu May 19, 2022 10:46 AM
    Hello Mr. Schneider,

    yes, my application is directly calling the authorization endpoint of the OIDC provider. Previousely my application is called by the WebSphere Relying Party with the parameters for the authorization endpoint (client_id, scope, redirect_uri. state). My application is configured as authorization endpoint in the RP. My application sits in between the WebSphere RP and the OIDC provider. It presents a login form the user, authenticates the user at the OIDC and then calls the authorization endpoint of the OIDC.

    The authorization endpoint of the OIDC provider returns the redirect URI with the passed parameters and the additional authorization code. The redirect URI "https://localhost:9443/oidcclient/KISS_RP" is the URL of the RP configred in the WebSphere. My application gets the URI from the RP.

    In the HTTP case I get this (correct) redirect URL from the Location parameter.

    But in the HTTPS case the redirect URI is wrong. This is an application URL: "http://was-server:9080/bayernlabo/Home.part?$event=start"

    I hope I was clear enough.

    Kind regards
    Thomas



    ------------------------------
    Thomas Mayr
    ------------------------------



  • 6.  RE: OpenID authorize request not working with HTTPS

    Posted Thu May 19, 2022 03:45 PM
    I'm actually thinking the other direction now, that maybe it's the implementation of HttpURLConnection that cannot automatically redirect between different schemes (that is HTTP to HTTPS or vice versa), which might be the real issue here. 
    Again not knowing the entire flow is hindering my understand of the entire request, but it looks like you are submitting a form that is hosted on an application, but that the application processing the form pushes out a request to the OIDC provider in-code (hence the HttpURLConnection).  I assume the HTTP vs HTTPS comes into play when calling HttpURLConnection with the appropriate scheme.

    ------------------------------
    MICHAEL SCHNEIDER
    ------------------------------



  • 7.  RE: OpenID authorize request not working with HTTPS

    Posted Fri May 20, 2022 03:01 AM
    Edited by MIGUEL ANGEL CAMACHO CABRERA Fri May 20, 2022 03:01 AM
    Hello Thomas,

    What happens if you are connecting to your application using HTTPS? I meant if you connect to "https://was-server:9043/bayernlabo/Home.part?$event=start"?

    I think the problem could be related with the change of protocol by HttpURLConnection sendredirect from http to https as explained here

    https://stackoverflow.com/questions/1884230/httpurlconnection-doesnt-follow-redirect-from-http-to-https

    Best Regards



    ------------------------------
    MIGUEL ANGEL CAMACHO CABRERA
    ------------------------------



  • 8.  RE: OpenID authorize request not working with HTTPS

    Posted Mon May 23, 2022 04:27 AM
    Hello Michael, Miguel,

    I try to explain the flow. The flow starts when an unauthenticated user navigates to a protected page of the application. In this case, the relying party interceptor (RP) configured in WebSphere calls the authorization endpoint of my application (MyApp):

    1 RP -> MyApp.authorization(redirect_uri, scope, client_id, response_type, state)
    2 MyApp -> redirect browser to login form
    3 User enters username/password -> MyApp
    4 MyApp -> OpenID provider.authenticate(username, password)
    5 OpemId provider returns a loginToken
    6 MyApp -> OpenID provider.authorization(loginToken, redirect_uri, scope, client_id, response_type, state)
    7 OpenID provider returns redirect_uri with authorization code as header parameter Location
    8 MyApp -> redirect browser to redirect_uri (RP)
    9 RP -> redirect browser to protected application page

    The authorization endpoint of MyApp is configured with HTTPS in the RP interceptor:

    https://localhost:9443/bayernlabo/Welcome/content/start/LoginForm.part?$event=openIDAuthorize

    When HTTP is used in the communication between MyApp and the OpenID provider at step 6, it doesn't matter if I use HTTP or HTTPS when I navigate to the protected page of MyApp. The RP redirects the browser to the protected page with HTTP or HTTPS at the end. Note, the redirect to the RP at step 8 is always expected with HTTPS!

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------



  • 9.  RE: OpenID authorize request not working with HTTPS

    Posted Mon May 23, 2022 10:25 AM
    Hello Michael, Miguel,

    I solved this problem! I had to disable the automatic redirect of the HTTP connection:

    HttpURLConnection.setInstanceFollowRedirects(false);

    The stackoverflow link was helpful!

    Thank you and kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------