APAR status
Closed as fixed if next.
Error description
During Authorization Code grant type, user can be re-directed to invalid redirect_uri if an bad rstate value is present in the query.
Local fix
Check for redirect_uri during the presence of bad rstate. Change the response from redirecting to the provided redirect uri to responding with a Invalid Redirect_URI.
Problem summary
Current design of redirect_uri in-conjunction with bad rstate allowed redirection for all incoming redirect_uris. This occured even in cases where the request's redirect_uri did not match the one configured in the application. The issue would stop at this point with no further steps in OAuth possible.
Problem conclusion
Temporary fix
Comments
Fixed check for redirect_uri being skipped incase of rstate (redirect state) being present in the authorization code request. Now, if a request's redirect_Uri does not match the oneconfigured, Invalid redirect error is sent. Issue fixed from next release 5086.
APAR Information
APAR number
LI80628
Reported component name
API CONNECT ENT
Reported component ID
5725Z2201
Reported release
18X
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-02-18
Closed date
2019-05-18
Last modified date
2019-05-18
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"18X","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
18 May 2019