Red Hat Bugzilla – Bug 1138798
Add support for bounce_url to /ipa/ui/reset_password.html
Last modified: 2015-03-05 05:13:46 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/4440 When FreeIPA is used as an authentication provider for web applications, the Apache might attempt PAM authentication for example using mod_intercept_form_submit and find the password expired. In that case, the module might like to redirect the user to a password reset page on FreeIPA to get the password reset -- typically upon the first use of the password after admin (re)set it. When that password reset passes, the /ipa/ui/reset_password.html page says Password reset was successful. Return to login page. pointing to /ipa/ui/login.html on the FreeIPA server. But if the password reset was initiated due to a failed login to external application and not to FreeIPA WebUI itself, we might need a way to specify the URL the user should be redirected to after successful password reset. Adding support for parameter like bounce_url would be nice. How much more customizable this should get is a question -- we might also want name of that other application, and perhaps the locales that should be used for the password reset page ... But bounce_url is what is needed for.
fixed upstream: master: https://fedorahosted.org/freeipa/changeset/8288135b5b218cd63d5f5bfba59f6d1f9657af2d/ https://fedorahosted.org/freeipa/changeset/050431c4dd70f024b1644137fb0ad4881ed9e32b/ ipa-4-1: https://fedorahosted.org/freeipa/changeset/8288135b5b218cd63d5f5bfba59f6d1f9657af2d/ https://fedorahosted.org/freeipa/changeset/c946029ba304efe808106da13e1bfd58135821be/
The way I understand it we need an external web application to simulate a user password reset.. correct me if i am wrong. Do you have any sample application to test it OR can u please tell me an alternate way to test this BZ#1138798?
REPRODUCTION INFORMATION: This change added support if "url" parameter to IPA password reset standalone page. When this URL is present, the page will display notice "Password reset was successful. Continue to _next page_" with link to the specific, encoded, URL. In this example: https://ipa.mkosek-rhel71.test/ipa/ui/reset_password.html?url=http%3A%2F%2Fwww.freeipa.org the link will lead to www.freeipa.org site. Additional details in commmit messages in https://fedorahosted.org/freeipa/changeset/8288135b5b218cd63d5f5bfba59f6d1f9657af2d/ https://fedorahosted.org/freeipa/changeset/c946029ba304efe808106da13e1bfd58135821be/
Created attachment 985330 [details] support for bounce_url Verified. IPA version: ------------ ipa-server-4.1.0-15.el7.x86_64 Steps followed: =============== 1: Open "password reset page" with link to the specific, encoded, URL. https://<IPA-SERVER-NAME>/ipa/ui/reset_password.html?url=http%3A%2F%2F<external application> Eg:- https://server71ui.mvtestrelm.test/ipa/ui/reset_password.html?url=http%3A%2F%2Fwww.freeipa.org 2: Enter username (for which password to be reset) 3: Enter "Current Password" and "New Password", "Re-Enter New Password" 4: Hit "Reset" button 5: The page will display message as "Password reset was successful. Continue to next page" 6: Click "Continue to next page" it will take you external application/site. For reference I have attached snapshot.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html