From ba29b363fc67532ef569f0daa45bdf530f48b9a2 Mon Sep 17 00:00:00 2001 From: "mhyeon.lee" Date: Mon, 23 Jul 2018 10:47:23 +0900 Subject: [PATCH] Fix OAuth2AuthorizationRequestRedirectWebFilter baseurl exclude querystring To create redirect_uri in OAuth2AuthorizationRequestRedirectWebFilter, queryParam is included in the current request-based baseUrl. So when binding to the redirectUriTemplate, the wrong type of redirect_uri may be created. Fixed: gh-5520 --- ...AuthorizationRequestRedirectWebFilter.java | 1 + ...rizationRequestRedirectWebFilterTests.java | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java index b350d5ed58..ae89c61498 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java @@ -199,6 +199,7 @@ public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter { String baseUrl = UriComponentsBuilder.fromHttpRequest(new ServerHttpRequestDecorator(request)) .replacePath(request.getPath().contextPath().value()) + .replaceQuery(null) .build() .toUriString(); uriVariables.put("baseUrl", baseUrl); diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java index ce839c6810..b2ff790cbe 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java @@ -135,6 +135,26 @@ public class OAuth2AuthorizationRequestRedirectWebFilterTests { verify(this.authzRequestRepository).saveAuthorizationRequest(any(), any()); } + // gh-5520 + @Test + public void filterWhenDoesMatchThenResolveRedirectUriExpandedExcludesQueryString() { + FluxExchangeResult result = this.client.get() + .uri("https://example.com/oauth2/authorization/github?foo=bar").exchange() + .expectStatus().is3xxRedirection().returnResult(String.class); + result.assertWithDiagnostics(() -> { + URI location = result.getResponseHeaders().getLocation(); + assertThat(location) + .hasScheme("https") + .hasHost("github.com") + .hasPath("/login/oauth/authorize") + .hasParameter("response_type", "code") + .hasParameter("client_id", "clientId") + .hasParameter("scope", "read:user") + .hasParameter("state") + .hasParameter("redirect_uri", "https://example.com/login/oauth2/code/github"); + }); + } + @Test public void filterWhenExceptionThenRedirected() { FilteringWebHandler webHandler = new FilteringWebHandler(e -> Mono.error(new ClientAuthorizationRequiredException(this.github.getRegistrationId())), Arrays.asList(this.filter));