It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Follow this question
Question details

×7,386
×5,999

question asked: Jan 15 '18, 12:44 p.m.
question was seen: 1,707 times
last updated: Jan 19 '18, 11:32 a.m.

Related questions

FAQ - How this Forum works

Jazz Authorization Server and Reverse Proxy redirect URI issue

0
Anthony Sutton (814) | asked Jan 15 '18, 12:44 p.m.

Hi there,
We had a working CLM 6.0.5 set-up with Jazz Authorization Server (JAS). Today as per the customer requirement we put a Reverse Proxy (RP) on a seperate host in front of our CLM server so the applications could be accessed via a friendly URL without specifying a port.

Now with the RP in place it appears that after connection request is made to the CLM application e.g. ccm and is forwarded to JAS the connection request contains an invalid redirectURI because it came via the reverse proxy.

The JAS message log shows:
[15/01/18 17:11:06:793 GMT] 0000003d com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidRedirectUriException: CWOAU0056E: The redirect URI parameter [https://myexternalurl.com/ccm/jsa] provided in the OAuth or OpenID Connect request did not match any of the redirect URIs registered with the OAuth provider [https://127.0.0.1:9444/ccm/jsa https://127.0.0.1:9444/ccm/jsa?confirm=true https://myinternalurl.com:9444/ccm/jsa https://myinternalurl.com:9444/ccm/jsa?confirm=true https://localhost:9444/ccm/jsa https://localhost:9444/ccm/jsa?confirm=true]. com.ibm.ws.security.oauth20.error.impl.OAuth20AuthorizeRequestExceptionHandler 96" at ffdc_18.01.15_17.11.06.1.log

And the FFDC log shows:
Exception = com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidRedirectUriException
Source = com.ibm.ws.security.oauth20.error.impl.OAuth20AuthorizeRequestExceptionHandler
probeid = 96
Stack Dump = com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidRedirectUriException: CWOAU0056E: The redirect URI parameter [https://myexternalurl.com/ccm/jsa] provided in the OAuth or OpenID Connect
request did not match any of the redirect URIs registered with the OAuth provider [https://127.0.0.1:9444/ccm/jsa https://127.0.0.1:9444/ccm/jsa?confirm=true https://myinternalurl.com:9444/ccm/jsa ht
tps://myinternalurl.com:9444/ccm/jsa?confirm=true https://localhost:9444/ccm/jsa https://localhost:9444/ccm/jsa?confirm=true].
    at com.ibm.ws.security.oauth20.web.ClientAuthorization.validateRedirectUri(ClientAuthorization.java:248)

Does anyone have any ideas on how we might fix this issue?

Accepted answer

0
permanent link
Ralph Schoon (63.1k33646) | answered Jan 15 '18, 1:54 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

You can not just put a proxy in front of a system and remove the port JAS or not does not matter here.

If you have not set up the public URI without port, any change removing the port or changing the host name is a public URI change which requires repotools. The public URI - with port number is encoded and stored in several places JAS included - so you have to make sure to do proper deployment planning up front.

Anthony Sutton selected this answer as the correct answer
Comments
Anthony Sutton commented Jan 19 '18, 11:32 a.m.

Thanks for your response. We made the mistake of not setting our PublicURI to be consistent with the RP hostname e.g. https://myexternalurl.com/jts
Also we should have configured our RP prior to doing our CLM config (jts/setup) as instructed here https://jazz.net/wiki/bin/view/Deployment/ConfigureCLMEnterpriseReverseProxy
Thanks for your help.

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.