Redirect after okta password reset is failing url validation
flipsed opened this issue · comments
Describe the problem
When using Okta as an identity provider, we're having issues with the password reset flow. It goes something like this:
- the user attempts to access an application A protected by vouch
- vouch redirects to our self-hosted okta login page
- user enters their email address
- user receives password reset email and clicks on link
- user is redirected to the okta password reset form
- user enters new password and is redirected to application B
- vouch catches the redirect and throws a 400 Bad Request error
Although we use the self-hosted okta-signin-widget, it doesn't seem like we can configure the request in step 7 which is causing issues.
The final request to vouch.example.com looks like this:
GET /login?url=https://my.example.com/?iss=https%3A%2F%2Fauth.example.com&type_hint=PASSWORD_RECOVERY&session_hint=AUTHENTICATED&login_hint=example%40gmail.com&vouch-failcount=&X-Vouch-Token=&error=&rd=https://my.example.com%2F%3Fiss%3Dhttps%253A%252F%252Fauth.example.com%26type_hint%3DPASSWORD_RECOVERY%26session_hint%3DAUTHENTICATED%26login_hint%3Dpartarrieuphilippe%2540gmail.com HTTP/2
Here are our vouch logs are here. It seems like vouch is failing here. The iss
url parameter is likely what's causing the url validation to fail which ends up causing a 400 Bad Request.
Expected behavior
The user gets redirected to application B after the password reset flow. There seems to be an interoperability issue between vouch and okta for this given password reset flow.
Desktop (please complete the following information):
- OS: mac
- Browser: firefox
Additional context
I've also opened an issue on the okta-signin-widget - this has some burp screenshots. Let me know if there's any more information I can provide
@flipsed lets keep the conversation there, we can reopen this issue if necessary