product-is icon indicating copy to clipboard operation
product-is copied to clipboard

Published 20 hours ago verified publisher icon wso2

redirectUrl is missing in Apple Federated Authenticator for API based authentication

Open isuruhettiarachchi opened this issue 8 months ago • 0 comments

Describe the issue: In the API based authentication, federated authenticator responses should contain a redirectUrl inside additionalData object. As an example, for Google federated authenticators,

{
    "authenticatorId": "R29vZ2xlT0lEQ0F1dGhlbnRpY2F0b3I6R29vZ2xl",
    "authenticator": "Google",
    "idp": "Google",
    "metadata": {
        "i18nKey": "authenticator.google",
        "promptType": "REDIRECTION_PROMPT",
        "additionalData": {
            "state": "7ea52985-924d-4c1d-acb1-81dca5cf9d27,OIDC",
            "redirectUrl": "https://accounts.google.com/o/oauth2/authabc?response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Fcallback&state=7ea52985-924d-4c1d-acb1-81dca5cf9d27%2COIDC&nonce=965538d6-7632-4b63-8c8e-f27a8978964d&client_id=duy7tfF8tOH1ocZNsLOFRuDPuYMa&scope=email+openid+profile"
        }
    },
    "requiredParams": [
        "code",
        "state"
    ]
}

However, this additionalData object is missing in the Apple Federated authneticator. Users can not proceed with the next step.

{
    "authenticatorId": "QXBwbGVPSURDQXV0aGVudGljYXRvcjpBcHBsZQ",
    "authenticator": "Apple",
    "idp": "Apple",
    "metadata": {
        "i18nKey": "authenticator.oidc",
        "promptType": "REDIRECTION_PROMPT"
    },
    "requiredParams": [
        "code",
        "state"
    ]
}

Additional data is taken from the context OpenIDConnectAuthenticator [1]. The context is populated from the initiateAuthenticationRequest method [2]. However, this is only implemented in the OpenIDConnectAuthenticator but Apple authenticator has the initiateAuthenticationRequest overrided. Therefore, the required properties are not added to the context for Apple authenticator.

[1] - https://github.com/wso2-extensions/identity-outbound-auth-oidc/blob/a2454b2b3054cf52a01b8e7dfb3ede0b37c48658/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java#L1396-L1397 [2] - https://github.com/wso2-extensions/identity-outbound-auth-oidc/blob/a2454b2b3054cf52a01b8e7dfb3ede0b37c48658/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java#L550

How to reproduce:

  1. Create an application and enable API based authentication.
  2. Create an Apple federated authenticator and add it as the login option for the application.
  3. Initiate API based authentication.
  4. additionalData is missing in the response.

Expected behavior: Redirect url should come in the additional data object.

Environment information:

  • Product Version: IS 7.0

isuruhettiarachchi avatar Jun 25 '24 09:06 isuruhettiarachchi