oxAuth not allowing custom URI schemes for Native client

By: Chris Lumpkin user 20 Aug 2020 at 12:27 p.m. CDT

7 Responses
Chris Lumpkin gravatar
My org has configured an OpenID Connect client for a Native mobile application with a Sector Identifier including several acceptable redirect_uris, including some with custom URI schemes. We configured this based on the instructions in [Gluu 4.2 integration docs for AppAuth Android](https://gluu.org/docs/gluu-server/4.2/integration/native-apps/appauth-android/#register-an-openid-client-on-the-gluu-server). oxAuth throws the following error during client authorization: `the redirect_uri in the authorization request does not match any of the client's pre-registered redirect_uris` Sector Identifier redirect login URIs: - `http://localhost:3000/token` - `mprove://SuccessPascode` - `com.example.app:/oauth2redirect/example-provider` - `exp://10.0.0.17:19000` Client request URL with request params: `https://auth.tcpdev.org/oxauth/restv1/authorize?code_challenge=1jqz8_AD99-ymRevcorCqKlFF3yJ4GOib9BBMbEhheU&aud=https%3A%2F%2Fmprove.tcpdev.org%2Fhapi-fhir-jpaserver%2Ffhir&code_challenge_method=S256&redirect_uri=exp%3A%2F%2F10.0.0.17%3A19000&client_id=c32aebef-c34b-4eb6-b238-9dd478f3ad34&response_type=code&state=w4ThUs3FnV&scope=patient%2F%2A.read%20patient%2F%2A.write%20openid%20fhirUser%20offline_access%20launch%2Fpatient`
Docker 2.4
closed

Answers

By Michael Schwartz Account Admin 20 Aug 2020 at 1:52 p.m. CDT

Copy
Michael Schwartz gravatar
``` com.example.app:/oauth2redirect/example-provider ``` Is that a typo? Is it missing a `/` ?

By James Kizer user 20 Aug 2020 at 3:30 p.m. CDT

Copy
James Kizer gravatar
Just to elaborate on this a bit. The root cause here is that we're unable to add a redirect url containing a custom URL scheme to the OAuth client in the Gluu UI. Whenever we try to use a custom URL scheme, an error message pops up containing "The url is malformed". Is our assumption is that custom URL schemes should be supported correct? If so, we've spent a little bit of time tracking this down. It seems like this PR https://github.com/GluuFederation/oxTrust/issues/1892 introduced checking for "https" schemes for non-native clients. In order to perform that check, a java.net.URL object is instantiated with the redirect url (see [here](https://github.com/GluuFederation/oxTrust/blob/e133aedf2fc6c9c1408516994551f85e087fc5de/server/src/main/java/org/gluu/oxtrust/action/UpdateClientAction.java#L691)). In cases of custom URL schemes, [java.net.URL](https://docs.oracle.com/javase/7/docs/api/java/net/URL.html#URL(java.lang.String)) throws a MalformedURLException. This leads to the error message being shown.

By Thomas Gasmyr Mougang staff 20 Aug 2020 at 3:33 p.m. CDT

Copy
Thomas Gasmyr Mougang gravatar
James, you have to create a sector identifier, during the creation of that sector you can define your custom scheme and then assign that sector the the concerned OpenId Client.

By James Kizer user 20 Aug 2020 at 4:12 p.m. CDT

Copy
James Kizer gravatar
Thanks for the quick response @Thomas Gasmyr.Mougang. I'll give that a shot. Once we've added that sector to the client, does the redirect URL also need to be added to the OpenID client?

By Michael Schwartz Account Admin 20 Aug 2020 at 4:14 p.m. CDT

Copy
Michael Schwartz gravatar
I confirmed oxTrust won't let you add this url. ![](https://i.ibb.co/hRZcfYf/malformed-url.png) As a workaround, did you try to add the client using the dynamic client registration API?

By Thomas Gasmyr Mougang staff 20 Aug 2020 at 4:28 p.m. CDT

Copy
Thomas Gasmyr Mougang gravatar
> Once we've added that sector to the client, does the redirect URL also need to be added to the OpenID client? No, you don't have to.

By James Kizer user 20 Aug 2020 at 4:30 p.m. CDT

Copy
James Kizer gravatar
Thanks @Michael.Schwartz and @Thomas Gasmyr.Mougang, it seems to be working now with the sector identifier approach.

Post an answer