Issuer should not support path component

Closes gh-1435
2 years ago · c3f86d11f8
2 changed files with 37 additions and 1 deletions
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -48,6 +48,7 @@ import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 /**
 * An {@link AbstractHttpConfigurer} for OAuth 2.0 Authorization Server support.
@ -331,6 +332,9 @@ public final class OAuth2AuthorizationServerConfigurer
 			} catch (Exception ex) {
 				throw new IllegalArgumentException("issuer must be a valid URL", ex);
 			}
 			if (StringUtils.hasText(issuerUri.getPath())) {
 				throw new IllegalArgumentException("Path component for issuer ('" + issuerUri.getPath() + "') is currently not supported");
 			}
 			// rfc8414 https://datatracker.ietf.org/doc/html/rfc8414#section-2
 			if (issuerUri.getQuery() != null || issuerUri.getFragment() != null) {
 				throw new IllegalArgumentException("issuer cannot contain query or fragment component");
--- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java
+++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java
@ -161,6 +161,13 @@ public class OidcProviderConfigurationTests {
 		);
 	}
 	@Test
 	public void loadContextWhenIssuerWithPathThenThrowException() {
 		assertThatThrownBy(
 				() -> this.spring.register(AuthorizationServerConfigurationWithIssuerPath.class).autowire()
 		);
 	}
 	@Test
 	public void loadContextWhenIssuerWithQueryThenThrowException() {
 		assertThatThrownBy(
@ -182,6 +189,13 @@ public class OidcProviderConfigurationTests {
 		);
 	}
 	@Test
 	public void loadContextWhenIssuerWithEmptyPathThenThrowException() {
 		assertThatThrownBy(
 				() -> this.spring.register(AuthorizationServerConfigurationWithIssuerEmptyPath.class).autowire()
 		);
 	}
 	@Test
 	public void loadContextWhenIssuerWithEmptyQueryThenThrowException() {
 		assertThatThrownBy(
@ -299,6 +313,15 @@ public class OidcProviderConfigurationTests {
 		}
 	}
 	@EnableWebSecurity
 	static class AuthorizationServerConfigurationWithIssuerPath extends AuthorizationServerConfiguration {
 		@Bean
 		AuthorizationServerSettings authorizationServerSettings() {
 			return AuthorizationServerSettings.builder().issuer(ISSUER_URL + "/issuer1").build();
 		}
 	}
 	@EnableWebSecurity
 	static class AuthorizationServerConfigurationWithIssuerQuery extends AuthorizationServerConfiguration {
@ -326,6 +349,15 @@ public class OidcProviderConfigurationTests {
 		}
 	}
 	@EnableWebSecurity
 	static class AuthorizationServerConfigurationWithIssuerEmptyPath extends AuthorizationServerConfiguration {
 		@Bean
 		AuthorizationServerSettings authorizationServerSettings() {
 			return AuthorizationServerSettings.builder().issuer(ISSUER_URL + "/").build();
 		}
 	}
 	@EnableWebSecurity
 	static class AuthorizationServerConfigurationWithIssuerEmptyQuery extends AuthorizationServerConfiguration {