Added an error for missing redirect uri in a token request when it has been included in the authorization request. Change-Id: I8e5df06825d86802fbdc5c7b4d57f7ed76889772

commit: 3cd2d5f687a3e3f12c2266ad11acbd3a55b05a6f [log] [tgz]
author: margaretha <margaretha@ids-mannheim.de> Tue May 02 14:51:11 2023 +0200
committer: margaretha <margaretha@ids-mannheim.de> Thu May 04 15:09:00 2023 +0200
tree: 4f5b24a50ba9ca28bb873031ad3adb8912ac0a95
parent: df55472ffa9bf2cf022d4353217b609043ed20c0 [diff]
diff --git a/full/Changes b/full/Changes
index 2b7484f..7c673dd 100644
--- a/full/Changes
+++ b/full/Changes

@@ -2,6 +2,8 @@
 
 - Added data folder containing super_client_info and database 
   for mounting into docker
+- Added an error for missing redirect uri in a token request 
+  when it has been included in the authorization request.
 
 # version 0.69.4
 

diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
index ff4565b..8da5caa 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java

@@ -163,9 +163,14 @@
 
         String authorizedUri = authorization.getRedirectURI();
         if (authorizedUri != null && !authorizedUri.isEmpty()) {
-            if (!authorizedUri.equals(redirectURI))
+            if (redirectURI == null || redirectURI.isEmpty()) {
+                throw new KustvaktException(StatusCodes.INVALID_REDIRECT_URI,
+                        "Missing redirect URI", OAuth2Error.INVALID_GRANT);
+            }    
+            if (!authorizedUri.equals(redirectURI)) {
                 throw new KustvaktException(StatusCodes.INVALID_REDIRECT_URI,
                         "Invalid redirect URI", OAuth2Error.INVALID_GRANT);
+            }
         }
         else if (redirectURI != null && !redirectURI.isEmpty()) {
             throw new KustvaktException(StatusCodes.INVALID_REDIRECT_URI,

diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
index c2e21fd..aca0a5c 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java

@@ -400,13 +400,13 @@
         Response response =
                 requestAuthorizationCode("code", confidentialClientId,
                         redirect_uri, scope, state, userAuthHeader);
-        MultivaluedMap<String, String> params =
-                getQueryParamsFromURI(response.getLocation());
-        String code = params.get("code").get(0);
+        String code = parseAuthorizationCode(response);
 
         testRequestTokenAuthorizationInvalidClient(code);
+        testRequestTokenAuthorizationMissingRedirectUri(code);
         testRequestTokenAuthorizationInvalidRedirectUri(code);
         testRequestTokenAuthorizationRevoked(code, redirect_uri);
+        
     }
 
     private void testRequestTokenAuthorizationInvalidClient (String code)
@@ -417,6 +417,17 @@
         JsonNode node = JsonUtils.readTree(entity);
         assertEquals(OAuth2Error.INVALID_CLIENT, node.at("/error").asText());
     }
+    
+    private void testRequestTokenAuthorizationMissingRedirectUri (String code)
+            throws KustvaktException {
+        Response response = requestTokenWithAuthorizationCodeAndForm(
+                confidentialClientId, "secret", code);
+        String entity = response.readEntity(String.class);
+        JsonNode node = JsonUtils.readTree(entity);
+        assertEquals(OAuth2Error.INVALID_GRANT, node.at("/error").asText());
+        assertEquals("Missing redirect URI",
+                node.at("/error_description").asText());
+    }
 
     private void testRequestTokenAuthorizationInvalidRedirectUri (String code)
             throws KustvaktException {

diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
index df15f81..f2559ae 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java

@@ -82,6 +82,17 @@
         return form;
     }
 
+    protected String parseAuthorizationCode (Response response) {
+        
+        assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
+                response.getStatus());
+
+        URI redirectUri = response.getLocation();
+        MultiValueMap<String, String> params = UriComponentsBuilder
+                .fromUri(redirectUri).build().getQueryParams();
+        return params.getFirst("code");
+    }
+    
     protected Response requestAuthorizationCode (String responseType,
             String clientId, String redirectUri, String scope, String state,
             String authHeader) throws KustvaktException {
@@ -205,6 +216,8 @@
                         ContentType.APPLICATION_FORM_URLENCODED)
                 .post(Entity.form(form));
 
+        assertEquals(Status.OK.getStatusCode(), response.getStatus());
+        
         String entity = response.readEntity(String.class);
         return JsonUtils.readTree(entity);
     }
commit	3cd2d5f687a3e3f12c2266ad11acbd3a55b05a6f	[log] [tgz]
author	margaretha <margaretha@ids-mannheim.de>	Tue May 02 14:51:11 2023 +0200
committer	margaretha <margaretha@ids-mannheim.de>	Thu May 04 15:09:00 2023 +0200
tree	4f5b24a50ba9ca28bb873031ad3adb8912ac0a95
parent	df55472ffa9bf2cf022d4353217b609043ed20c0 [diff]