Allow public clients (e.g. using implicit flow or PKCE) to have redirect URIs configured

Signed-off-by: Martin Heide <martin.heide@faro.com>
This commit is contained in:
Martin Heide 2020-10-05 18:19:33 +00:00
parent 6cdbb59406
commit b894d9c888
2 changed files with 33 additions and 5 deletions

View file

@ -588,12 +588,15 @@ func (s *Server) validateCrossClientTrust(clientID, peerID string) (trusted bool
} }
func validateRedirectURI(client storage.Client, redirectURI string) bool { func validateRedirectURI(client storage.Client, redirectURI string) bool {
if !client.Public { // Allow named RedirectURIs for both public and non-public clients.
// This is required make PKCE-enabled web apps work, when configured as public clients.
for _, uri := range client.RedirectURIs { for _, uri := range client.RedirectURIs {
if redirectURI == uri { if redirectURI == uri {
return true return true
} }
} }
// For non-public clients, only named RedirectURIs are allowed.
if !client.Public {
return false return false
} }

View file

@ -340,6 +340,7 @@ func TestValidRedirectURI(t *testing.T) {
RedirectURIs: []string{"http://foo.com/bar"}, RedirectURIs: []string{"http://foo.com/bar"},
}, },
redirectURI: "http://foo.com/bar/baz", redirectURI: "http://foo.com/bar/baz",
wantValid: false,
}, },
{ {
client: storage.Client{ client: storage.Client{
@ -369,6 +370,30 @@ func TestValidRedirectURI(t *testing.T) {
redirectURI: "http://localhost", redirectURI: "http://localhost",
wantValid: true, wantValid: true,
}, },
// Both Public + RedirectURIs configured: Could e.g. be a PKCE-enabled web app.
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "http://foo.com/bar",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "http://foo.com/bar/baz",
wantValid: false,
},
{
client: storage.Client{
Public: true,
},
redirectURI: "http://foo.com/bar",
wantValid: false,
},
{ {
client: storage.Client{ client: storage.Client{
Public: true, Public: true,