Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(op): do not redirect to unverified uri on error #640

Merged
merged 1 commit into from
Aug 21, 2024
Merged

fix(op): do not redirect to unverified uri on error #640

merged 1 commit into from
Aug 21, 2024

Conversation

muhlemmer
Copy link
Collaborator

Re-arrange Auth request validation.

  1. Input validation is done for required parameters.
  2. The request may include a request object, then it needs to be validated and data added to the request.
  3. The client is retreived from Storage.
  4. The request_uri is validated against the Client's configuration.
  5. Remaining validations are done.

Any error from step 1 up till and including 4 will not result in a redirect. The error is returned to the user-agent.
Errors from 5 and beyond will result in a redirect.

This fixes behavior to be compliant with Oauth2 RFC 6749, section 4.1.2.1:

If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.

Closes #627

Note: This PR does address the op.Server interface for 2 reasons:

  1. The bug is not applicaple there, because it doesn't redirect in most error cases. This is incorrect, but should be solved seprately. At least there is no security issue there.
  2. Allow this fix to be backprorted to v2.

Definition of Ready

  • I am happy with the code
  • Short description of the feature/issue is added in the pr description
  • PR is linked to the corresponding user story
  • Acceptance criteria are met
  • All open todos and follow ups are defined in a new ticket and justified
  • Deviations from the acceptance criteria and design are agreed with the PO and documented.
  • No debug or dead code
  • My code has no repetitions
  • Critical parts are tested automatically
  • Where possible E2E tests are implemented
  • Documentation/examples are up-to-date
  • All non-functional requirements are met
  • Functionality of the acceptance criteria is checked manually on the dev system.

@muhlemmer muhlemmer marked this pull request as ready for review August 20, 2024 15:54
@muhlemmer muhlemmer requested a review from livio-a August 20, 2024 15:54
muhlemmer added a commit that referenced this pull request Aug 20, 2024
@muhlemmer
fix(op): do not redirect to unverified uri on error
e66758e 
Backport of #640
Related to #627
@muhlemmer muhlemmer mentioned this pull request Aug 20, 2024
Merged
13 tasks
livio-a pushed a commit that referenced this pull request Aug 21, 2024
@muhlemmer
fix(op): do not redirect to unverified uri on error (#641)
e8769ce 
* fix(op): do not redirect to unverified uri on error

Backport of #640
Related to #627

* adjust tests
@livio-a livio-a merged commit 0aa61b0 into main Aug 21, 2024
6 checks passed
@livio-a livio-a deleted the fix-unverified-redirect branch August 21, 2024 07:29
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 3.27.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@livio-a livio-a livio-a approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Validation of redirect_uri is not performed before redirect
2 participants
@muhlemmer @livio-a