From c3f86d11f86594b6dcff83cfa49bd10e574db8b3 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Mon, 6 Nov 2023 13:35:56 -0500 Subject: [PATCH] Issuer should not support path component Closes gh-1435 --- .../OAuth2AuthorizationServerConfigurer.java | 6 +++- .../OidcProviderConfigurationTests.java | 32 +++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java index 1468a351..f7389483 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -48,6 +48,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; +import org.springframework.util.StringUtils; /** * An {@link AbstractHttpConfigurer} for OAuth 2.0 Authorization Server support. @@ -331,6 +332,9 @@ public final class OAuth2AuthorizationServerConfigurer } catch (Exception ex) { throw new IllegalArgumentException("issuer must be a valid URL", ex); } + if (StringUtils.hasText(issuerUri.getPath())) { + throw new IllegalArgumentException("Path component for issuer ('" + issuerUri.getPath() + "') is currently not supported"); + } // rfc8414 https://datatracker.ietf.org/doc/html/rfc8414#section-2 if (issuerUri.getQuery() != null || issuerUri.getFragment() != null) { throw new IllegalArgumentException("issuer cannot contain query or fragment component"); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java index 21cf9898..15810ed0 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java @@ -161,6 +161,13 @@ public class OidcProviderConfigurationTests { ); } + @Test + public void loadContextWhenIssuerWithPathThenThrowException() { + assertThatThrownBy( + () -> this.spring.register(AuthorizationServerConfigurationWithIssuerPath.class).autowire() + ); + } + @Test public void loadContextWhenIssuerWithQueryThenThrowException() { assertThatThrownBy( @@ -182,6 +189,13 @@ public class OidcProviderConfigurationTests { ); } + @Test + public void loadContextWhenIssuerWithEmptyPathThenThrowException() { + assertThatThrownBy( + () -> this.spring.register(AuthorizationServerConfigurationWithIssuerEmptyPath.class).autowire() + ); + } + @Test public void loadContextWhenIssuerWithEmptyQueryThenThrowException() { assertThatThrownBy( @@ -299,6 +313,15 @@ public class OidcProviderConfigurationTests { } } + @EnableWebSecurity + static class AuthorizationServerConfigurationWithIssuerPath extends AuthorizationServerConfiguration { + + @Bean + AuthorizationServerSettings authorizationServerSettings() { + return AuthorizationServerSettings.builder().issuer(ISSUER_URL + "/issuer1").build(); + } + } + @EnableWebSecurity static class AuthorizationServerConfigurationWithIssuerQuery extends AuthorizationServerConfiguration { @@ -326,6 +349,15 @@ public class OidcProviderConfigurationTests { } } + @EnableWebSecurity + static class AuthorizationServerConfigurationWithIssuerEmptyPath extends AuthorizationServerConfiguration { + + @Bean + AuthorizationServerSettings authorizationServerSettings() { + return AuthorizationServerSettings.builder().issuer(ISSUER_URL + "/").build(); + } + } + @EnableWebSecurity static class AuthorizationServerConfigurationWithIssuerEmptyQuery extends AuthorizationServerConfiguration {