We updated a local install with a recent version of the toolkit and discovered that someone broke the external authority recover password feature by adding some "redirection to external hosts not allowed" code. There needs to be a list of allowed external hosts so that the authentication package can forward people to external password management hosts.
Anyone remember who added this feature/bug and/or have any suggestions on how to fix it?
-----
Redirection to external hosts is not allowed.
while executing
"error "Redirection to external hosts is not allowed.""
(procedure "ad_returnredirect" line 13)
invoked from within
"ad_returnredirect $forgotten_url"
(procedure "auth::password::recover_password" line 32)