Can't use https for my redirect uri

konangelop · September 4, 2019, 3:09pm

I am building a REST API and I need to put it behind okta. I don’t have access to production okta we have on our company but the admins set up the redirect uri with https.

In my spring boot application the yaml file is:

security:
oauth2:
client:
clientId: clientId
clientSecret: clientSecret
accessTokenUri: https://org-subdomain.okta.com/oauth2/default/v1/token
userAuthorizationUri: https://org-subdomain.okta.com/oauth2/default/v1/authorize
clientAuthenticationScheme: form
scope: openid profile email
pre-established-redirect-uri: https://app-domain/login
resource:
userInfoUri: https:/org-subdomain.okta.com/oauth2/default/v1/userinfo

and my configuration is:
@EnableOAuth2Sso
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
	http.authorizeRequests()
			.antMatchers("/", "/login*").permitAll()
			.anyRequest().authenticated()
			.and()
			.formLogin();
}

Whenever I hit an endpoint of my API where I need to be authenticated I see the request:
Request URL:https://org-subdomain/oauth2/default/v1/authorize?client_id=clientId&redirect_uri=http://app-domain/login&response_type=code&scope=openid%20profile%20email&state=6umudy

and the message: The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings.

So despite I setup https, it tries to redirect to http.

Any ideas on how I can fix this?

kathyL · December 16, 2020, 7:26pm

I just ran into the same issue described above. My client app is hosted on a secured port, https. However, the authorization-url for the authorization request of an Authorization Code Flow is constructed with the redirect_uri value of http instead of https. Hence, it doesn’t match any of the login redirect URIs configured in the OIDC Client in the Okta.
I’m interested in hearing what was the solution here. Looks like the question was asked over a year ago but for some reason, I can’t view or don’t see any response. Thanks.

Lijia · December 16, 2020, 9:47pm

@kathyL
@konangelop Please refer the discussion on GH and take a look at the solution here

github.com/okta/okta-spring-boot

404 The 'redirect_uri' parameter must be an absolute URI that is whitelisted in the client app settings.

opened 08:47PM - 28 Sep 18 UTC

closed 05:16PM - 07 Jan 19 UTC

fcbogle

I have a basic Spring Boot 2.0.5 and Okta Starter configuration 0.6.0 My yml files looks like this: security: oauth2: client: client-id: XXX client-secret: XXX access-token-uri: https://dev-XXX.oktapreview.com/oauth2/ausgdwqzf1FKoPs6K0h7/v1/token user-authorization-uri: https://dev-XXX.oktapreview.com/oauth2/ausgdwqzf1FKoPs6K0h7/v1/authorize client-authentication-scheme:...

question

kathyL · December 16, 2020, 11:42pm

Thanks @Lijia for adding the discussion thread of of similar issue. However, the solution to the 404 is not exactly my issue.
Testing on localhost, everything worked fine for me. But when we deployed, We get the 400 Bad Request when the app invoke the authorization request to redirect us to okta login page. The that our app is running on https// on DEV and Prod env. This is the message we get with the 400:
https://build.okta.com/oauth2/aus1hxs2q50tTzpu51d8/v1/authorize?response_type=code&client_id=0oa1hoddxcgsVsPko1d8&scope=openid%20profile%20email%20address%20phone%20offline_access&state=LTYuksoXy28LnSeD0Q4xD4Re4b8HfPIh90Ldhm868rk%3D&**redirect_uri=http://dev-search-api.build.com**/login/oauth2/code/okta&nonce=4rbPBrdrBTc_lw-v5XP5Kg132RxRBxexvl_zWi56by8
From that Authorize request url above, note the redirect_uri=http://dev-search-api.build.com instead of https://. It should be https:// for this to work because our OIDC app setting in Okta has https://dev-search-api.build.com/login/oauth2/code/okta in the Login redirect URIs listing. So, the uri is definitely whitelisted in the client app setting in Okta.
Thank!

Lijia · December 17, 2020, 12:52am

@kathyL You can take a look of this article and check your app configuration. If you still could not figure it out, you may open a support ticket through an email to support@okta.com

kathyL · December 17, 2020, 5:41pm

Thanks @Lijia!
Yes, I have already checked out the reference you provided here before finding this support thread. The root cause mentioned does not applied to my case as we have already make sure the client setting in okta has all of those url. Anyway, I might open a support ticket.

kbwnw · January 19, 2021, 6:08pm

I’m having the exact same issue and was wondering if you were able to resolve it?

rajnadimpalli · January 28, 2021, 11:25am

Please try adding the below parameters:

security.oauth2.client.pre-established-redirect-uri=https://app-domain/login
security.oauth2.client.registered-redirect-uri=https://app-domain/login
security.oauth2.client.use-current-uri=false

This will force spring to use the configured https URL.

Thanks.

mateo · May 26, 2022, 3:26am

I’m having this same issue, but I think I’ve narrowed it down to not being mismatched redirect URI’s.

I’m using Python/Flask for the app, and authenticating with OIDC.

I’ve set my redirect URI to https://<appdomain>/oidc/callback in Python
In my application, I set the exact same redirect URI.

Attempt to authenticate, and I get the same 400 error. When I go to the application logs, there is an “Oauth2 authorization request failure: illegal_redirect_uri_enhance”. The System > DebugData > RedirectUri is showing the HTTP version of my redirect URI.

So my question is, if my application redirect URI is HTTPS, and my Okta application whitelisted URI is HTTPS, is there something on the backend of Okta, or something with an OIDC plugin that works with Flask/Python, that could be re-writing the URI to an HTTP endpoint?

Thanks