k-space/dex
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Activity

Merge pull request #1822 from faro-oss/feature/redirect-uris-for-public-clients

Browse Source 
Allow public clients (e.g. SPAs using implicit flow or PKCE) to have redirect URLs other than localhost
This commit is contained in:
Márk Sági-Kazár 2020-11-05 11:02:25 +01:00 committed by GitHub
commit 170794725d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 125 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
server/oauth2.go
View File

@ -588,12 +588,16 @@ func (s *Server) validateCrossClientTrust(clientID, peerID string) (trusted bool
} }
func validateRedirectURI(client storage.Client, redirectURI string) bool { func validateRedirectURI(client storage.Client, redirectURI string) bool {
if !client.Public { // Allow named RedirectURIs for both public and non-public clients.
for _, uri := range client.RedirectURIs { // This is required make PKCE-enabled web apps work, when configured as public clients.
if redirectURI == uri { for _, uri := range client.RedirectURIs {
return true if redirectURI == uri {
} return true
} }
}
// For non-public clients or when RedirectURIs is set, we allow only explicitly named RedirectURIs.
// Otherwise, we check below for special URIs used for desktop or mobile apps.
if !client.Public || len(client.RedirectURIs) > 0 {
return false return false
} }

116
server/oauth2_test.go
View File

@ -340,7 +340,9 @@ func TestValidRedirectURI(t *testing.T) {
RedirectURIs: []string{"http://foo.com/bar"}, RedirectURIs: []string{"http://foo.com/bar"},
}, },
redirectURI: "http://foo.com/bar/baz", redirectURI: "http://foo.com/bar/baz",
wantValid: false,
}, },
// These special desktop + device + localhost URIs are allowed by default.
{ {
client: storage.Client{ client: storage.Client{
Public: true, Public: true,
@ -348,6 +350,13 @@ func TestValidRedirectURI(t *testing.T) {
redirectURI: "urn:ietf:wg:oauth:2.0:oob", redirectURI: "urn:ietf:wg:oauth:2.0:oob",
wantValid: true, wantValid: true,
}, },
{
client: storage.Client{
Public: true,
},
redirectURI: "/device/callback",
wantValid: true,
},
{ {
client: storage.Client{ client: storage.Client{
Public: true, Public: true,
@ -369,6 +378,113 @@ func TestValidRedirectURI(t *testing.T) {
redirectURI: "http://localhost", redirectURI: "http://localhost",
wantValid: true, wantValid: true,
}, },
// Both Public + RedirectURIs configured: Could e.g. be a PKCE-enabled web app.
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "http://foo.com/bar",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "http://foo.com/bar/baz",
wantValid: false,
},
// These special desktop + device + localhost URIs are not allowed implicitly when RedirectURIs is non-empty.
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "urn:ietf:wg:oauth:2.0:oob",
wantValid: false,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "/device/callback",
wantValid: false,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "http://localhost:8080/",
wantValid: false,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "http://localhost:991/bar",
wantValid: false,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "http://localhost",
wantValid: false,
},
// These special desktop + device + localhost URIs can still be specified explicitly.
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "urn:ietf:wg:oauth:2.0:oob"},
},
redirectURI: "urn:ietf:wg:oauth:2.0:oob",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "/device/callback"},
},
redirectURI: "/device/callback",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "http://localhost:8080/"},
},
redirectURI: "http://localhost:8080/",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "http://localhost:991/bar"},
},
redirectURI: "http://localhost:991/bar",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "http://localhost"},
},
redirectURI: "http://localhost",
wantValid: true,
},
// Non-localhost URIs are not allowed implicitly.
{
client: storage.Client{
Public: true,
},
redirectURI: "http://foo.com/bar",
wantValid: false,
},
{ {
client: storage.Client{ client: storage.Client{
Public: true, Public: true,