Added redirect URI validation in authorization request (addressed #374)
Change-Id: I7e3bbc9cdfcf85fa897e0425cdc6bdb3eeda94f4
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuAuthorizationService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuAuthorizationService.java
index 0ac3da6..5898beb 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuAuthorizationService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuAuthorizationService.java
@@ -143,7 +143,8 @@
int statusCode = e.getStatusCode();
if (!clientId.isEmpty()
&& statusCode != StatusCodes.CLIENT_NOT_FOUND
- && statusCode != StatusCodes.AUTHORIZATION_FAILED) {
+ && statusCode != StatusCodes.AUTHORIZATION_FAILED
+ && statusCode != StatusCodes.INVALID_REDIRECT_URI) {
String registeredUri = null;
try {
OAuth2Client client = clientService.retrieveClient(clientId);
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
index 69713f8..581fa09 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
@@ -4,6 +4,7 @@
import java.time.ZonedDateTime;
import java.util.Set;
+import org.apache.commons.validator.routines.UrlValidator;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
@@ -38,6 +39,8 @@
protected OAuth2ScopeServiceImpl scopeService;
@Autowired
private AuthorizationDao authorizationDao;
+ @Autowired
+ private UrlValidator redirectURIValidator;
@Autowired
protected FullConfiguration config;
@@ -110,24 +113,24 @@
throws KustvaktException {
String registeredUri = client.getRedirectURI();
+
if (redirectUri != null && !redirectUri.isEmpty()) {
// check if the redirect URI the same as that in DB
- if (registeredUri != null && !registeredUri.isEmpty()
- && !redirectUri.equals(registeredUri)) {
+ if (!redirectURIValidator.isValid(redirectUri) ||
+ (registeredUri != null && !registeredUri.isEmpty()
+ && !redirectUri.equals(registeredUri))) {
throw new KustvaktException(StatusCodes.INVALID_REDIRECT_URI,
"Invalid redirect URI", OAuth2Error.INVALID_REQUEST);
}
}
- else {
- // redirect_uri is not required in client registration!
- if (registeredUri != null && !registeredUri.isEmpty()) {
+ // redirect_uri is not required in client registration
+ else if (registeredUri != null && !registeredUri.isEmpty()) {
redirectUri = registeredUri;
- }
- else {
- throw new KustvaktException(StatusCodes.MISSING_REDIRECT_URI,
- "Redirect URI is required",
- OAuth2Error.INVALID_REQUEST);
- }
+ }
+ else {
+ throw new KustvaktException(StatusCodes.MISSING_REDIRECT_URI,
+ "Redirect URI is required",
+ OAuth2Error.INVALID_REQUEST);
}
return redirectUri;
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
index 45dbd6b..00f9e70 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
@@ -98,15 +98,15 @@
if (url != null && !url.isEmpty()) {
if (!urlValidator.isValid(url)) {
throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,
- url + " is invalid.", OAuth2Error.INVALID_REQUEST);
+ "Invalid URL", OAuth2Error.INVALID_REQUEST);
}
}
String redirectURI = clientJson.getRedirectURI();
if (redirectURI != null && !redirectURI.isEmpty()
&& !redirectURIValidator.isValid(redirectURI)) {
- throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,
- redirectURI + " is invalid.", OAuth2Error.INVALID_REQUEST);
+ throw new KustvaktException(StatusCodes.INVALID_REDIRECT_URI,
+ "Invalid redirect URI", OAuth2Error.INVALID_REQUEST);
}
// boolean isNative = isNativeClient(url, redirectURI);