How To Prevent URL Redirection to an Unwanted OAM Logout Landing Page
Last updated on FEBRUARY 22, 2018
Applies to:Oracle Access Manager - Version 18.104.22.168.0 and later
Information in this document applies to any platform.
OAM has a feature using a query string "end_url" to redirect a browser to a landing page after logging out.
However a URL can be append either manually or programmatically to the end_url parameter and the browser will be redirected there.
For example https://www.acme.com/oam/server/logout?end_url=http://www.badsite.com/signup.jsp where www.acme.com is a valid OAM protected site, the browser will instead be redirected to http://www.badsite.com/signup.jsp.
The OAM server performs the server side logout operations and redirects the browser to the URL specified in the "end_url" query parameter whether logged in or out.
This is not a desired behavior.
The goal would be to only allow URLs expected and approved.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms