Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-236

Authorization flow breaks if referring to portal by IP not in redirect.url.ips.allowed

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: Master, 1.1-marketplace_7.1.0
    • Fix Version/s: Master
    • Component/s: None
    • Labels:

      Description

      This ticket is to improve the developer experience when needing to access the portal by a different IP than those listed in portal.properties by default:

      redirect.url.ips.allowed=127.0.0.1,SERVER_IP

      For example when running Android simulator in a VM, you can't access the host machine where portal is running through localhost.

      The OAuth 2 authorization flow relies on several redirects, to itself, to complete successfully. And the default configuration would seem ok for that because of SERVER_IP, but it is not.

      From a portal admin perspective it is not intuitive that they need to whitelist all of the portal's own IPs for the product to work.

      To improve this, relative redirection URLs should be used whenever possible.

      Steps to reproduce:

      1. Create/modify portal-ext.properties, with the following to remove any ambiguity about how SERVER_IP might resolve
        redirect.url.ips.allowed=127.0.0.1
        
      2. Start the portal
      3. Create an OAuth2 Application. Enter http://localhost:8080 for callback URI, and select the "Web application" client profile. Ensure "Authorization Code" authorization type is checked. Save. Change Client ID to "myApplication" and Client Secret to "mySecret". Save. Finally assign the application any of the available scopes.
      4. Find or assign an alternative to the portal server host. The easiest way to achieve this is to use the LAN assigned IP of the server.
      5. Let's assume the IP is 192.168.0.1 then go to http://192.168.0.1:8080/o/oauth2/authorize?client_id=myApplication&client_secret=mySecret&redirect_uri=http%3A%2F%2Flocalhost%3A8080&response_type=code&scope=
      6. You will be prompted to log in, log in with test@liferay.com

      Expected result: You are shown asked to authorize the application access, and that the IP shown in the address bar remains as 192.168.0.1
      Actual result: You are redirect to http://192.168.1.195:8080/web/guest/home

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                Master