Allow public clients (e.g. using implicit flow or PKCE) to have redirect URIs configured
Signed-off-by: Martin Heide <martin.heide@faro.com>
This commit is contained in:
parent
6cdbb59406
commit
b894d9c888
2 changed files with 33 additions and 5 deletions
|
@ -588,12 +588,15 @@ func (s *Server) validateCrossClientTrust(clientID, peerID string) (trusted bool
|
|||
}
|
||||
|
||||
func validateRedirectURI(client storage.Client, redirectURI string) bool {
|
||||
if !client.Public {
|
||||
// Allow named RedirectURIs for both public and non-public clients.
|
||||
// This is required make PKCE-enabled web apps work, when configured as public clients.
|
||||
for _, uri := range client.RedirectURIs {
|
||||
if redirectURI == uri {
|
||||
return true
|
||||
}
|
||||
}
|
||||
// For non-public clients, only named RedirectURIs are allowed.
|
||||
if !client.Public {
|
||||
return false
|
||||
}
|
||||
|
||||
|
|
|
@ -340,6 +340,7 @@ func TestValidRedirectURI(t *testing.T) {
|
|||
RedirectURIs: []string{"http://foo.com/bar"},
|
||||
},
|
||||
redirectURI: "http://foo.com/bar/baz",
|
||||
wantValid: false,
|
||||
},
|
||||
{
|
||||
client: storage.Client{
|
||||
|
@ -369,6 +370,30 @@ func TestValidRedirectURI(t *testing.T) {
|
|||
redirectURI: "http://localhost",
|
||||
wantValid: true,
|
||||
},
|
||||
// Both Public + RedirectURIs configured: Could e.g. be a PKCE-enabled web app.
|
||||
{
|
||||
client: storage.Client{
|
||||
Public: true,
|
||||
RedirectURIs: []string{"http://foo.com/bar"},
|
||||
},
|
||||
redirectURI: "http://foo.com/bar",
|
||||
wantValid: true,
|
||||
},
|
||||
{
|
||||
client: storage.Client{
|
||||
Public: true,
|
||||
RedirectURIs: []string{"http://foo.com/bar"},
|
||||
},
|
||||
redirectURI: "http://foo.com/bar/baz",
|
||||
wantValid: false,
|
||||
},
|
||||
{
|
||||
client: storage.Client{
|
||||
Public: true,
|
||||
},
|
||||
redirectURI: "http://foo.com/bar",
|
||||
wantValid: false,
|
||||
},
|
||||
{
|
||||
client: storage.Client{
|
||||
Public: true,
|
||||
|
|
Reference in a new issue