Enhance validation for configured issuer

Closes gh-649
This commit is contained in:
Fang Xia
2022-03-19 22:53:12 +08:00
committed by Joe Grandja
parent b991e1adc1
commit d0bb94b887
2 changed files with 92 additions and 1 deletions

View File

@@ -427,11 +427,17 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
private static void validateProviderSettings(ProviderSettings providerSettings) {
if (providerSettings.getIssuer() != null) {
URI issuerUri;
try {
new URI(providerSettings.getIssuer()).toURL();
issuerUri = new URI(providerSettings.getIssuer());
issuerUri.toURL();
} catch (Exception ex) {
throw new IllegalArgumentException("issuer must be a valid URL", ex);
}
// rfc8414 https://datatracker.ietf.org/doc/html/rfc8414#section-2
if (issuerUri.getQuery() != null || issuerUri.getFragment() != null) {
throw new IllegalArgumentException("issuer cannot contain query or fragment component");
}
}
}

View File

@@ -210,6 +210,41 @@ public class OidcTests {
);
}
@Test
public void loadContextWhenIssuerWithQueryThenThrowException() {
assertThatThrownBy(
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidQueryIssuerUrl.class).autowire()
);
}
@Test
public void loadContextWhenIssuerWithFragmentThenThrowException() {
assertThatThrownBy(
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidFragmentIssuerUrl.class).autowire()
);
}
@Test
public void loadContextWhenIssuerWithQueryAndFragmentThenThrowException() {
assertThatThrownBy(
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidQueryAndFragmentIssuerUrl.class).autowire()
);
}
@Test
public void loadContextWhenIssuerEndWithQuestionMarkCharacterThenThrowException() {
assertThatThrownBy(
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithQuestionMarkCharacter.class).autowire()
);
}
@Test
public void loadContextWhenIssuerEndWithNumberSignCharacterThenThrowException() {
assertThatThrownBy(
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithNumberSignCharacter.class).autowire()
);
}
@Test
public void requestWhenAuthenticationRequestThenTokenResponseIncludesIdToken() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire();
@@ -459,4 +494,54 @@ public class OidcTests {
}
}
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration.class)
static class AuthorizationServerConfigurationWithInvalidQueryIssuerUrl extends AuthorizationServerConfiguration {
@Bean
ProviderSettings providerSettings() {
return ProviderSettings.builder().issuer("https://localhost:9000?something=any").build();
}
}
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration.class)
static class AuthorizationServerConfigurationWithInvalidFragmentIssuerUrl extends AuthorizationServerConfiguration {
@Bean
ProviderSettings providerSettings() {
return ProviderSettings.builder().issuer("https://localhost:9000#fragment").build();
}
}
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration.class)
static class AuthorizationServerConfigurationWithInvalidQueryAndFragmentIssuerUrl extends AuthorizationServerConfiguration {
@Bean
ProviderSettings providerSettings() {
return ProviderSettings.builder().issuer("https://localhost:9000?something=any#fragment").build();
}
}
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration.class)
static class AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithQuestionMarkCharacter extends AuthorizationServerConfiguration {
@Bean
ProviderSettings providerSettings() {
return ProviderSettings.builder().issuer("https://localhost:9000?").build();
}
}
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration.class)
static class AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithNumberSignCharacter extends AuthorizationServerConfiguration {
@Bean
ProviderSettings providerSettings() {
return ProviderSettings.builder().issuer("https://localhost:9000/#").build();
}
}
}