Enhance validation for configured issuer
Closes gh-649
This commit is contained in:
@@ -427,11 +427,17 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
|
||||
|
||||
private static void validateProviderSettings(ProviderSettings providerSettings) {
|
||||
if (providerSettings.getIssuer() != null) {
|
||||
URI issuerUri;
|
||||
try {
|
||||
new URI(providerSettings.getIssuer()).toURL();
|
||||
issuerUri = new URI(providerSettings.getIssuer());
|
||||
issuerUri.toURL();
|
||||
} catch (Exception ex) {
|
||||
throw new IllegalArgumentException("issuer must be a valid URL", ex);
|
||||
}
|
||||
// rfc8414 https://datatracker.ietf.org/doc/html/rfc8414#section-2
|
||||
if (issuerUri.getQuery() != null || issuerUri.getFragment() != null) {
|
||||
throw new IllegalArgumentException("issuer cannot contain query or fragment component");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -210,6 +210,41 @@ public class OidcTests {
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadContextWhenIssuerWithQueryThenThrowException() {
|
||||
assertThatThrownBy(
|
||||
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidQueryIssuerUrl.class).autowire()
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadContextWhenIssuerWithFragmentThenThrowException() {
|
||||
assertThatThrownBy(
|
||||
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidFragmentIssuerUrl.class).autowire()
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadContextWhenIssuerWithQueryAndFragmentThenThrowException() {
|
||||
assertThatThrownBy(
|
||||
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidQueryAndFragmentIssuerUrl.class).autowire()
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadContextWhenIssuerEndWithQuestionMarkCharacterThenThrowException() {
|
||||
assertThatThrownBy(
|
||||
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithQuestionMarkCharacter.class).autowire()
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loadContextWhenIssuerEndWithNumberSignCharacterThenThrowException() {
|
||||
assertThatThrownBy(
|
||||
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithNumberSignCharacter.class).autowire()
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenAuthenticationRequestThenTokenResponseIncludesIdToken() throws Exception {
|
||||
this.spring.register(AuthorizationServerConfiguration.class).autowire();
|
||||
@@ -459,4 +494,54 @@ public class OidcTests {
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Import(OAuth2AuthorizationServerConfiguration.class)
|
||||
static class AuthorizationServerConfigurationWithInvalidQueryIssuerUrl extends AuthorizationServerConfiguration {
|
||||
|
||||
@Bean
|
||||
ProviderSettings providerSettings() {
|
||||
return ProviderSettings.builder().issuer("https://localhost:9000?something=any").build();
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Import(OAuth2AuthorizationServerConfiguration.class)
|
||||
static class AuthorizationServerConfigurationWithInvalidFragmentIssuerUrl extends AuthorizationServerConfiguration {
|
||||
|
||||
@Bean
|
||||
ProviderSettings providerSettings() {
|
||||
return ProviderSettings.builder().issuer("https://localhost:9000#fragment").build();
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Import(OAuth2AuthorizationServerConfiguration.class)
|
||||
static class AuthorizationServerConfigurationWithInvalidQueryAndFragmentIssuerUrl extends AuthorizationServerConfiguration {
|
||||
|
||||
@Bean
|
||||
ProviderSettings providerSettings() {
|
||||
return ProviderSettings.builder().issuer("https://localhost:9000?something=any#fragment").build();
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Import(OAuth2AuthorizationServerConfiguration.class)
|
||||
static class AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithQuestionMarkCharacter extends AuthorizationServerConfiguration {
|
||||
|
||||
@Bean
|
||||
ProviderSettings providerSettings() {
|
||||
return ProviderSettings.builder().issuer("https://localhost:9000?").build();
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Import(OAuth2AuthorizationServerConfiguration.class)
|
||||
static class AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithNumberSignCharacter extends AuthorizationServerConfiguration {
|
||||
|
||||
@Bean
|
||||
ProviderSettings providerSettings() {
|
||||
return ProviderSettings.builder().issuer("https://localhost:9000/#").build();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user