I haven’t had to add to this list for sometime, but just had to add another variation for rest help. It feels a bit like whack-a-mole. Has anyone else had to deal with this? For awhile there, I was finding a different variation of upper-case/lower-case, ends with “/”, doesn’t end with “/” pretty regularly.
2 Likes
At least for on-prem, the recommendation is to use all lowercase letters.
If you’re seeing this is SaaS, Epicor is not following their own advice.
7 Likes
Yes, pretty much! Entra requires the entries to be case-sensitive. If you deal with any connected app like Dynamic Docs or EDD, they use the same application ID but have different redirects.
Luckily these changes are quick to identify and easy to make.
1 Like
We have hundreds of permutations in our list. Regularly have to add new ones (have 5 environments). It’s literally insane to me that this is case sensitive. WHY
In the OpenID spec, redirect URIs must be pre-registered and for non-Windows machines, this side of the URI looks at case. In the handshake of ODIC, the caller sends the URI to return the access token to. If someone could set up another URI, they could capture the token just by changing the case on a single character. It’s not an Entra thing or a Kinetic thing, it is how the spec was written.
3 Likes
2 Likes
3 Likes
in technical terms, that is so dumb.
4 Likes
The spec is the spec. Epicor should not be relying on the provider to be lenient.
.toLowerCase() epicor.
It’s not hard.
2 Likes
Let’s look on the bright side. Considering those callbacks are over 100 char, say 75 are alpha, that’s 2^75 or 37 quintillion possibilities. So could be worse. Imagine if it were 2^77 over 151 sextillion.
1 Like