From 9d55a64465c65d633f849d09aca44a9134e6e335 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Fri, 18 May 2018 13:15:27 -0500 Subject: [PATCH] OidcConfigurationProvider validate returned issuer Validate the issuer that was returned matches the issuer that was was requested. Issue: gh-5355 --- .../oidc/OidcConfigurationProvider.java | 5 ++++ .../oidc/OidcConfigurationProviderTests.java | 23 ++++++++++++++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProvider.java b/config/src/main/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProvider.java index 203c4d6c18..e31ae70363 100644 --- a/config/src/main/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProvider.java +++ b/config/src/main/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProvider.java @@ -70,6 +70,11 @@ public final class OidcConfigurationProvider { public static ClientRegistration.Builder issuer(String issuer) { String openidConfiguration = getOpenidConfiguration(issuer); OIDCProviderMetadata metadata = parse(openidConfiguration); + String metadataIssuer = metadata.getIssuer().getValue(); + if (!issuer.equals(metadataIssuer)) { + throw new IllegalStateException("The Issuer \"" + metadataIssuer + "\" provided in the OpenID Configuration did not match the requested issuer \"" + issuer + "\""); + } + String name = URI.create(issuer).getHost(); ClientAuthenticationMethod method = getClientAuthenticationMethod(issuer, metadata.getTokenEndpointAuthMethods()); List grantTypes = metadata.getGrantTypes(); diff --git a/config/src/test/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProviderTests.java b/config/src/test/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProviderTests.java index 28947090bc..5b27c45134 100644 --- a/config/src/test/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProviderTests.java +++ b/config/src/test/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProviderTests.java @@ -205,20 +205,37 @@ public class OidcConfigurationProviderTests { @Test public void issuerWhenEmptyStringThenMeaningfulErrorMessage() { assertThatThrownBy(() -> OidcConfigurationProvider.issuer("")) - .hasMessageContaining("Unable to resolve the OpenID Configuration with the provided Issuer of \"\""); + .hasMessageContaining("Unable to resolve the OpenID Configuration with the provided Issuer of \"\""); } - private ClientRegistration registration(String path) throws Exception { + @Test + public void issuerWhenOpenIdConfigurationDoesNotMatchThenMeaningfulErrorMessage() throws Exception { + this.issuer = createIssuerFromServer(""); + String body = this.mapper.writeValueAsString(this.response); + MockResponse mockResponse = new MockResponse() + .setBody(body) + .setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE); + this.server.enqueue(mockResponse); + assertThatThrownBy(() -> OidcConfigurationProvider.issuer(this.issuer)) + .hasMessageContaining("The Issuer \"https://example.com\" provided in the OpenID Configuration did not match the requested issuer \"" + this.issuer + "\""); + } + + private ClientRegistration registration(String path) throws Exception { + this.issuer = createIssuerFromServer(path); + this.response.put("issuer", this.issuer); String body = this.mapper.writeValueAsString(this.response); MockResponse mockResponse = new MockResponse() .setBody(body) .setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE); this.server.enqueue(mockResponse); - this.issuer = this.server.url(path).toString(); return OidcConfigurationProvider.issuer(this.issuer) .clientId("client-id") .clientSecret("client-secret") .build(); } + + private String createIssuerFromServer(String path) { + return this.server.url(path).toString(); + } }