mystiq/dex
Archived
4
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

No longer allow desktop/mobile redirect URIs implicitly if RedirectURIs is set

Browse source 
Signed-off-by: Martin Heide <martin.heide@faro.com>
This commit is contained in:
Martin Heide 2020-11-02 14:05:47 +00:00
parent c15e2887bc
commit 162073b33e
2 changed files with 49 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
server/oauth2.go
View file

@ -595,8 +595,9 @@ func validateRedirectURI(client storage.Client, redirectURI string) bool {
return true return true
} }
} }
// For non-public clients, only named RedirectURIs are allowed. // For non-public clients or when RedirectURIs is set, we allow only explicitly named RedirectURIs.
if !client.Public { // Otherwise, we check below for special URIs used for desktop or mobile apps.
if !client.Public || len(client.RedirectURIs) > 0 {
return false return false
} }

51
server/oauth2_test.go
View file

@ -395,14 +395,14 @@ func TestValidRedirectURI(t *testing.T) {
redirectURI: "http://foo.com/bar/baz", redirectURI: "http://foo.com/bar/baz",
wantValid: false, wantValid: false,
}, },
// These special desktop + device + localhost URIs are allowed even when RedirectURIs is non-empty. // These special desktop + device + localhost URIs are not allowed implicitly when RedirectURIs is non-empty.
{ {
client: storage.Client{ client: storage.Client{
Public: true, Public: true,
RedirectURIs: []string{"http://foo.com/bar"}, RedirectURIs: []string{"http://foo.com/bar"},
}, },
redirectURI: "urn:ietf:wg:oauth:2.0:oob", redirectURI: "urn:ietf:wg:oauth:2.0:oob",
wantValid: true, wantValid: false,
}, },
{ {
client: storage.Client{ client: storage.Client{
@ -410,7 +410,7 @@ func TestValidRedirectURI(t *testing.T) {
RedirectURIs: []string{"http://foo.com/bar"}, RedirectURIs: []string{"http://foo.com/bar"},
}, },
redirectURI: "/device/callback", redirectURI: "/device/callback",
wantValid: true, wantValid: false,
}, },
{ {
client: storage.Client{ client: storage.Client{
@ -418,7 +418,7 @@ func TestValidRedirectURI(t *testing.T) {
RedirectURIs: []string{"http://foo.com/bar"}, RedirectURIs: []string{"http://foo.com/bar"},
}, },
redirectURI: "http://localhost:8080/", redirectURI: "http://localhost:8080/",
wantValid: true, wantValid: false,
}, },
{ {
client: storage.Client{ client: storage.Client{
@ -426,7 +426,7 @@ func TestValidRedirectURI(t *testing.T) {
RedirectURIs: []string{"http://foo.com/bar"}, RedirectURIs: []string{"http://foo.com/bar"},
}, },
redirectURI: "http://localhost:991/bar", redirectURI: "http://localhost:991/bar",
wantValid: true, wantValid: false,
}, },
{ {
client: storage.Client{ client: storage.Client{
@ -434,6 +434,47 @@ func TestValidRedirectURI(t *testing.T) {
RedirectURIs: []string{"http://foo.com/bar"}, RedirectURIs: []string{"http://foo.com/bar"},
}, },
redirectURI: "http://localhost", redirectURI: "http://localhost",
wantValid: false,
},
// These special desktop + device + localhost URIs can still be specified explicitly.
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "urn:ietf:wg:oauth:2.0:oob"},
},
redirectURI: "urn:ietf:wg:oauth:2.0:oob",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "/device/callback"},
},
redirectURI: "/device/callback",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "http://localhost:8080/"},
},
redirectURI: "http://localhost:8080/",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "http://localhost:991/bar"},
},
redirectURI: "http://localhost:991/bar",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "http://localhost"},
},
redirectURI: "http://localhost",
wantValid: true, wantValid: true,
}, },
// Non-localhost URIs are not allowed implicitly. // Non-localhost URIs are not allowed implicitly.