Authorization consent form trying to load JS and logo in unsecure manner

This topic has 4 replies, 3 voices, and was last updated 5 years, 2 months ago by suhaibmustafa.

  • Author
    Posts
  • #9391
     suhaibmustafa
    Participant

    Hi,

    I have configured OpenAm/OpenIDConnect as Identity Provider and facing issue with the consent page. From user endpoint to load-balancer/proxy connection is over HTTPS but from load-balancer/proxy to openAM deployment connection is over HTTP. Everything works fine till auhtorization consent form page where it tries to load some javascripts and images over HTTP which is causing issue.

    consent form page URL: https://some.base.url/openam/oauth2/authorize?response_type=code&client_id=<some_client>&redirect_uri=<some_uri>&scope=openid&state=<some value>

    Javascript it tries to load: http://some.base.uri/openam/XUI/libs/requirejs-2.1.14-min.js
    image: logo.png

    I tried to create a “Base URL service” with a fixed value of https://some.base.uri but that also did not work out.

    Any solution to this would be much appreciated.

    Thanks and Best Regards,
    Syed Suhaib Mustafa

    • This topic was modified 5 years, 5 months ago by suhaibmustafa.
    #9397
     Rajesh R
    Participant

    @suhaibmustafa I had a similar issue an my colleague Peter Major had pointed me to the following link:

    https://bugster.forgerock.org/jira/browse/OPENAM-8371

    Would this be your issue?

    #9423
     suhaibmustafa
    Participant

    Hi Rajesh, Thanks for the quick reply. The issue I described is slightly different from it. The issue I am facing is that the OAuth2.0 authorization consent page is trying to load a unsecure content(JS, img) over a secure connection. Hence the browser shows a blank page with a notification to user on the top right corner which says:

    This page is trying to load scripts form unauthenticated source.
    Load unsafe scripts.

    When we click on “load unsafe scripts” the consent page comes up and the flow works fine from there. My concern here is how/where/what to configure in OpenAM so that it loads all the contents of the html(here consent form) based on the protocol user requested(in this case HTTPS).

    #9772
     Peter Major
    Moderator

    You should configure the Base URL Provider service in your subrealm.

    #11996
     suhaibmustafa
    Participant

    Hi,

    Base URL provider also didn’t work as I had mentioned in the problem statement. I fixed it by having a proxy in http connector of the apache tomcat server.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?