Incorrect hostname used for end user-facing URLs in the X509 servlet #26200
Description
Description
Browser redirection to the /commonauth endpoint and the X509 authenticator's error page (x509certificateauthenticationendpoint/x509CertificateError.jsp) is currently incorrectly using the internal hostname for the base URL.
Since these endpoints are accessed by end users, they should use the public URL instead.
Suggested (and tested) fix:
diff --git a/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateAuthenticator.java b/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateAuthenticator.java
--- a/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateAuthenticator.java
+++ b/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateAuthenticator.java
@@ -114,7 +114,7 @@ public class X509CertificateAuthenticator extends AbstractApplicationAuthenticat
String errorPageUrl;
try {
errorPageUrl = ServiceURLBuilder.create().addPath(X509CertificateConstants.ERROR_PAGE).build()
- .getAbsoluteInternalURL();
+ .getAbsolutePublicURL();
} catch (URLBuilderException e) {
throw new RuntimeException("Error occurred while building URL.", e);
}
diff --git a/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateServlet.java b/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateServlet.java
--- a/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateServlet.java
+++ b/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateServlet.java
@@ -65,7 +65,7 @@ public class X509CertificateServlet extends HttpServlet {
String commonAuthURL;
try {
commonAuthURL = ServiceURLBuilder.create().addPath(X509CertificateConstants.COMMON_AUTH).build()
- .getAbsoluteInternalURL();
+ .getAbsolutePublicURL();
} catch (URLBuilderException e) {
throw new RuntimeException("Error occurred while building URL.", e);
}
Steps to Reproduce
- Setup an Identity Server 7.x instance with a "custom" hostname and with X509 authentication configured correctly.
- Create an application that uses the X509 authenticator.
- Create a user account and a certificate linked to it for the next step.
- Import the certificate to the browser's truststore. May require adding it to the Keychain if using MacOS.
- Try logging into the application, select the certificate from the prompt, and notice the browser is redirected to the internal URL.
Please select the area issue is related to
Authentication & Registration
Version
IS 7.0.0, IS 7.1.0, IS 7.2.0
Environment Details (with versions)
N/A
Developer Checklist
- [Behavioural Change] Does this change introduce a behavioral change to the product?
- ↳ Approved by team lead
- ↳ Label
impact/behavioral-changeadded - [Migration Impact] Does this change have a migration impact?
- ↳ Migration label added (e.g.,
7.2.0-migration) - ↳ Migration issues created and linked
- [New Configuration] Does this change introduce a new configuration?
- ↳ Label
configadded - ↳ Configuration is properly documented