From b894d9c88813ac876076b338c1e51126ea728ee9 Mon Sep 17 00:00:00 2001 From: Martin Heide Date: Mon, 5 Oct 2020 18:19:33 +0000 Subject: [PATCH] Allow public clients (e.g. using implicit flow or PKCE) to have redirect URIs configured Signed-off-by: Martin Heide --- server/oauth2.go | 13 ++++++++----- server/oauth2_test.go | 25 +++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/server/oauth2.go b/server/oauth2.go index 79e54c32..9ae825ab 100644 --- a/server/oauth2.go +++ b/server/oauth2.go @@ -588,12 +588,15 @@ func (s *Server) validateCrossClientTrust(clientID, peerID string) (trusted bool } func validateRedirectURI(client storage.Client, redirectURI string) bool { - if !client.Public { - for _, uri := range client.RedirectURIs { - if redirectURI == uri { - return true - } + // Allow named RedirectURIs for both public and non-public clients. + // This is required make PKCE-enabled web apps work, when configured as public clients. + for _, uri := range client.RedirectURIs { + if redirectURI == uri { + return true } + } + // For non-public clients, only named RedirectURIs are allowed. + if !client.Public { return false } diff --git a/server/oauth2_test.go b/server/oauth2_test.go index 8db9ea59..f75015f0 100644 --- a/server/oauth2_test.go +++ b/server/oauth2_test.go @@ -340,6 +340,7 @@ func TestValidRedirectURI(t *testing.T) { RedirectURIs: []string{"http://foo.com/bar"}, }, redirectURI: "http://foo.com/bar/baz", + wantValid: false, }, { client: storage.Client{ @@ -369,6 +370,30 @@ func TestValidRedirectURI(t *testing.T) { redirectURI: "http://localhost", wantValid: true, }, + // Both Public + RedirectURIs configured: Could e.g. be a PKCE-enabled web app. + { + client: storage.Client{ + Public: true, + RedirectURIs: []string{"http://foo.com/bar"}, + }, + redirectURI: "http://foo.com/bar", + wantValid: true, + }, + { + client: storage.Client{ + Public: true, + RedirectURIs: []string{"http://foo.com/bar"}, + }, + redirectURI: "http://foo.com/bar/baz", + wantValid: false, + }, + { + client: storage.Client{ + Public: true, + }, + redirectURI: "http://foo.com/bar", + wantValid: false, + }, { client: storage.Client{ Public: true,