diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java index ab8cdb4b..cb258cb8 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java @@ -55,6 +55,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; +import org.springframework.util.StringUtils; /** * An {@link AbstractHttpConfigurer} for OAuth 2.0 Authorization Server support. @@ -387,6 +388,9 @@ public final class OAuth2AuthorizationServerConfigurer } catch (Exception ex) { throw new IllegalArgumentException("issuer must be a valid URL", ex); } + if (StringUtils.hasText(issuerUri.getPath())) { + throw new IllegalArgumentException("Path component for issuer ('" + issuerUri.getPath() + "') is currently not supported"); + } // rfc8414 https://datatracker.ietf.org/doc/html/rfc8414#section-2 if (issuerUri.getQuery() != null || issuerUri.getFragment() != null) { throw new IllegalArgumentException("issuer cannot contain query or fragment component"); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java index a3ae7327..32573052 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java @@ -162,6 +162,13 @@ public class OidcProviderConfigurationTests { ); } + @Test + public void loadContextWhenIssuerWithPathThenThrowException() { + assertThatThrownBy( + () -> this.spring.register(AuthorizationServerConfigurationWithIssuerPath.class).autowire() + ); + } + @Test public void loadContextWhenIssuerWithQueryThenThrowException() { assertThatThrownBy( @@ -183,6 +190,13 @@ public class OidcProviderConfigurationTests { ); } + @Test + public void loadContextWhenIssuerWithEmptyPathThenThrowException() { + assertThatThrownBy( + () -> this.spring.register(AuthorizationServerConfigurationWithIssuerEmptyPath.class).autowire() + ); + } + @Test public void loadContextWhenIssuerWithEmptyQueryThenThrowException() { assertThatThrownBy( @@ -300,6 +314,15 @@ public class OidcProviderConfigurationTests { } } + @EnableWebSecurity + static class AuthorizationServerConfigurationWithIssuerPath extends AuthorizationServerConfiguration { + + @Bean + AuthorizationServerSettings authorizationServerSettings() { + return AuthorizationServerSettings.builder().issuer(ISSUER_URL + "/issuer1").build(); + } + } + @EnableWebSecurity static class AuthorizationServerConfigurationWithIssuerQuery extends AuthorizationServerConfiguration { @@ -327,6 +350,15 @@ public class OidcProviderConfigurationTests { } } + @EnableWebSecurity + static class AuthorizationServerConfigurationWithIssuerEmptyPath extends AuthorizationServerConfiguration { + + @Bean + AuthorizationServerSettings authorizationServerSettings() { + return AuthorizationServerSettings.builder().issuer(ISSUER_URL + "/").build(); + } + } + @EnableWebSecurity static class AuthorizationServerConfigurationWithIssuerEmptyQuery extends AuthorizationServerConfiguration {