Jazz Authorization Server and Reverse Proxy redirect URI issue
Hi there,
We had a working CLM 6.0.5 set-up with Jazz Authorization Server (JAS). Today as per the customer requirement we put a Reverse Proxy (RP) on a seperate host in front of our CLM server so the applications could be accessed via a friendly URL without specifying a port.
Now with the RP in place it appears that after connection request is made to the CLM application e.g. ccm and is forwarded to JAS the connection request contains an invalid redirectURI because it came via the reverse proxy.
The JAS message log shows:
[15/01/18 17:11:06:793 GMT] 0000003d com.ibm.ws.logging.internal.impl.IncidentImpl I FFDC1015I: An FFDC Incident has been created: "com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidRedirectUriException: CWOAU0056E: The redirect URI parameter [https://myexternalurl.com/ccm/jsa] provided in the OAuth or OpenID Connect request did not match any of the redirect URIs registered with the OAuth provider [https://127.0.0.1:9444/ccm/jsa https://127.0.0.1:9444/ccm/jsa?confirm=true https://myinternalurl.com:9444/ccm/jsa https://myinternalurl.com:9444/ccm/jsa?confirm=true https://localhost:9444/ccm/jsa https://localhost:9444/ccm/jsa?confirm=true]. com.ibm.ws.security.oauth20.error.impl.OAuth20AuthorizeRequestExceptionHandler 96" at ffdc_18.01.15_17.11.06.1.log
And the FFDC log shows:
Exception = com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidRedirectUriException
Source = com.ibm.ws.security.oauth20.error.impl.OAuth20AuthorizeRequestExceptionHandler
probeid = 96
Stack Dump = com.ibm.oauth.core.api.error.oauth20.OAuth20InvalidRedirectUriException: CWOAU0056E: The redirect URI parameter [https://myexternalurl.com/ccm/jsa] provided in the OAuth or OpenID Connect
request did not match any of the redirect URIs registered with the OAuth provider [https://127.0.0.1:9444/ccm/jsa https://127.0.0.1:9444/ccm/jsa?confirm=true https://myinternalurl.com:9444/ccm/jsa ht
tps://myinternalurl.com:9444/ccm/jsa?confirm=true https://localhost:9444/ccm/jsa https://localhost:9444/ccm/jsa?confirm=true].
at com.ibm.ws.security.oauth20.web.ClientAuthorization.validateRedirectUri(ClientAuthorization.java:248)
Does anyone have any ideas on how we might fix this issue?
Accepted answer
You can not just put a proxy in front of a system and remove the port JAS or not does not matter here.
If you have not set up the public URI without port, any change removing the port or changing the host name is a public URI change which requires repotools. The public URI - with port number is encoded and stored in several places JAS included - so you have to make sure to do proper deployment planning up front.
Comments
Thanks for your response. We made the mistake of not setting our PublicURI to be consistent with the RP hostname e.g. https://myexternalurl.com/jts
Also we should have configured our RP prior to doing our CLM config (jts/setup) as instructed here https://jazz.net/wiki/bin/view/Deployment/ConfigureCLMEnterpriseReverseProxy
Thanks for your help.