fix(jans-auth-server): perform redirect_uri validation if FAPI flag i…

…s true #2500 (#2502) docs: no docs #2500
JanssenProject · Sep 30, 2022 · e02559c · e02559c
1 parent 57d92bd
commit e02559c
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 36 deletions.
diff --git a/...ver/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceValidator.java b/...ver/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceValidator.java
@@ -9,6 +9,8 @@
 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
 import io.jans.as.common.model.registration.Client;
+import io.jans.as.common.model.session.SessionId;
+import io.jans.as.common.model.session.SessionIdState;
 import io.jans.as.common.util.RedirectUri;
 import io.jans.as.model.authorize.AuthorizeErrorResponseType;
 import io.jans.as.model.common.Prompt;
@@ -21,39 +23,29 @@
 import io.jans.as.server.model.authorize.AuthorizeParamsValidator;
 import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
 import io.jans.as.server.model.common.DeviceAuthorizationCacheControl;
-import io.jans.as.common.model.session.SessionId;
-import io.jans.as.common.model.session.SessionIdState;
 import io.jans.as.server.model.exception.AcrChangedException;
 import io.jans.as.server.model.exception.InvalidRedirectUrlException;
 import io.jans.as.server.security.Identity;
-import io.jans.as.server.service.ClientService;
-import io.jans.as.server.service.DeviceAuthorizationService;
-import io.jans.as.server.service.RedirectUriResponse;
-import io.jans.as.server.service.RedirectionUriService;
-import io.jans.as.server.service.SessionIdService;
+import io.jans.as.server.service.*;
 import io.jans.as.server.service.external.session.SessionEvent;
 import io.jans.as.server.service.external.session.SessionEventType;
 import io.jans.as.server.util.RedirectUtil;
 import io.jans.as.server.util.ServerUtil;
 import io.jans.orm.exception.EntryPersistenceException;
-import org.apache.commons.lang.BooleanUtils;
-import org.apache.commons.lang.StringUtils;
-import org.jetbrains.annotations.NotNull;
-import org.jetbrains.annotations.Nullable;
-import org.slf4j.Logger;
-
 import jakarta.ejb.Stateless;
 import jakarta.inject.Inject;
 import jakarta.inject.Named;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.ws.rs.WebApplicationException;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
-import java.util.Calendar;
-import java.util.Date;
-import java.util.GregorianCalendar;
-import java.util.List;
-import java.util.TimeZone;
+import org.apache.commons.lang.BooleanUtils;
+import org.apache.commons.lang.StringUtils;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+import org.slf4j.Logger;
+
+import java.util.*;
 
 import static io.jans.as.model.ciba.BackchannelAuthenticationErrorResponseType.INVALID_REQUEST;
 import static io.jans.as.model.crypto.signature.SignatureAlgorithm.NONE;
@@ -353,8 +345,11 @@ public String validateRedirectUri(@NotNull Client client, @Nullable String redir
 
     public String validateRedirectUri(@NotNull Client client, @Nullable String redirectUri, @Nullable String state,
                                       @Nullable String deviceAuthzUserCode, @Nullable HttpServletRequest httpRequest, @NotNull AuthorizeErrorResponseType error) {
-        if (appConfiguration.isFapi()) {
-            return redirectUri; // FAPI validator will check it in the request object.
+        if (appConfiguration.isFapi() && StringUtils.isNotBlank(redirectUri) && StringUtils.isBlank(redirectionUriService.validateRedirectionUri(client, redirectUri))) {
+            throw new WebApplicationException(Response
+                    .status(Response.Status.BAD_REQUEST)
+                    .entity(errorResponseFactory.getErrorAsJson(error, state, ""))
+                    .build());
         }
 
         if (StringUtils.isNotBlank(deviceAuthzUserCode)) {

diff --git a/...th-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequestService.java b/...th-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequestService.java
@@ -4,8 +4,8 @@
 import com.google.common.collect.Sets;
 import io.jans.as.common.model.common.User;
 import io.jans.as.common.model.registration.Client;
-import io.jans.as.common.util.RedirectUri;
 import io.jans.as.common.util.CommonUtils;
+import io.jans.as.common.util.RedirectUri;
 import io.jans.as.model.authorize.AuthorizeErrorResponseType;
 import io.jans.as.model.common.Prompt;
 import io.jans.as.model.common.ResponseMode;
@@ -35,10 +35,7 @@
 import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
 import io.jans.as.server.model.authorize.ScopeChecker;
 import io.jans.as.server.par.ws.rs.ParService;
-import io.jans.as.server.service.ClientService;
-import io.jans.as.server.service.RedirectUriResponse;
-import io.jans.as.server.service.RequestParameterService;
-import io.jans.as.server.service.ServerCryptoProvider;
+import io.jans.as.server.service.*;
 import io.jans.as.server.util.ServerUtil;
 import jakarta.ejb.Stateless;
 import jakarta.inject.Inject;
@@ -101,6 +98,9 @@ public class AuthzRequestService {
     @Inject
     private ClientService clientService;
 
+    @Inject
+    private RedirectionUriService redirectionUriService;
+
     public boolean processPar(AuthzRequest authzRequest) {
         boolean isPar = Util.isPar(authzRequest.getRequestUri());
         if (!isPar && isTrue(appConfiguration.getRequirePar())) {
@@ -181,6 +181,17 @@ public void processRequestObject(AuthzRequest authzRequest, Client client, Set<S
                 }
 
                 if (jwtRequest.getRedirectUri() != null) {
+                    if (!jwtRequest.getRedirectUri().equals(authzRequest.getRedirectUri())) {
+                        log.error("The redirect_uri parameter in url is not the same as in the JWT");
+                        throw authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "The redirect_uri parameter in url is not the same as in the JWT");
+                    }
+                    if (StringUtils.isBlank(redirectionUriService.validateRedirectionUri(client, jwtRequest.getRedirectUri()))) {
+                        log.error("redirect_uri in request object is not valid.");
+                        throw new WebApplicationException(Response
+                                .status(Response.Status.BAD_REQUEST)
+                                .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, authzRequest.getState(), ""))
+                                .build());
+                    }
                     redirectUriResponse.getRedirectUri().setBaseRedirectUri(jwtRequest.getRedirectUri());
                 }
 
@@ -201,9 +212,6 @@ public void processRequestObject(AuthzRequest authzRequest, Client client, Set<S
                     scopes.clear();
                     scopes.addAll(scopeChecker.checkScopesPolicy(client, Lists.newArrayList(jwtRequest.getScopes())));
                 }
-                if (jwtRequest.getRedirectUri() != null && !jwtRequest.getRedirectUri().equals(authzRequest.getRedirectUri())) {
-                    throw authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "The redirect_uri parameter is not the same in the JWT");
-                }
                 if (StringUtils.isNotBlank(jwtRequest.getNonce())) {
                     authzRequest.setNonce(jwtRequest.getNonce());
                 }

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/RedirectionUriService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/RedirectionUriService.java
@@ -16,6 +16,7 @@
 import io.jans.as.model.util.QueryStringDecoder;
 import io.jans.as.model.util.Util;
 import io.jans.as.common.model.session.SessionId;
+import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.StringUtils;
 import org.jetbrains.annotations.NotNull;
 import org.json.JSONArray;
@@ -63,7 +64,7 @@ public String validateRedirectionUri(String clientIdentifier, String redirection
         return validateRedirectionUri(client, redirectionUri);
     }
 
-    public List<String> getSectorRedirectUris(String sectorIdentiferUri) throws Exception {
+    public List<String> getSectorRedirectUris(String sectorIdentiferUri) {
         List<String> result = Lists.newArrayList();
         if (StringUtils.isBlank(sectorIdentiferUri)) {
             return result;
@@ -108,32 +109,36 @@ public String validateRedirectionUri(@NotNull Client client, String redirectionU
             }
 
             if (StringUtils.isBlank(redirectionUri) && redirectUris != null && redirectUris.length == 1) {
+                log.trace("First redirect_uri is returned.");
                 return redirectUris[0];
             }
 
             if (StringUtils.isNotBlank(redirectionUri)) {
                 if (redirectUris != null) {
-                    log.debug("Validating redirection URI: clientIdentifier = {}, redirectionUri = {}, found = {}",
+                    log.trace("Validating redirection URI: clientIdentifier = {}, redirectionUri = {}, found = {}",
                             client.getClientId(), redirectionUri, redirectUris.length);
                     if (isUriEqual(redirectionUri, redirectUris)) {
+                        log.trace("Redirect URI 'equals' found, clientId = {}, redirectionUri = {}", client.getClientId(), redirectionUri);
+
                         return redirectionUri;
                     } else {
-                        log.debug("RedirectionUri didn't match with any of the client redirect uris, clientId = {}, redirectionUri = {}", client.getClientId(), redirectionUri);
+                        log.trace("RedirectionUri didn't match with any of the client redirect uris, clientId = {}, redirectionUri = {}", client.getClientId(), redirectionUri);
                     }
                 }
 
-                if (appConfiguration.getRedirectUrisRegexEnabled()) {
+                if (BooleanUtils.isTrue(appConfiguration.getRedirectUrisRegexEnabled())) {
                     if (redirectionUri.matches(client.getAttributes().getRedirectUrisRegex())) {
+                        log.trace("RedirectionUri is allowed by regexp, clientId = {}, redirectionUri = {}, regexp = {}", client.getClientId(), redirectionUri, client.getAttributes().getRedirectUrisRegex());
                         return redirectionUri;
                     } else {
-                        log.debug("RedirectionUri didn't match with client regular expression, clientId = {}, redirectionUri = {}", client.getClientId(), redirectionUri);
+                        log.trace("RedirectionUri didn't match with client regular expression, clientId = {}, redirectionUri = {}", client.getClientId(), redirectionUri);
                     }
                 }
             } else {
                 log.warn("RedirectionUri is blank, clientId = {}", client.getClientId());
             }
         } catch (Exception e) {
-            log.error("Problems validating redirection uri, clientId = {}, redirectionUri = {}", client.getClientId(), redirectionUri);
+            log.error(String.format("Problems validating redirection uri, clientId = %s, redirectionUri = %s", client.getClientId(), redirectionUri), e);
             return null;
         }
         return null;
@@ -208,7 +213,7 @@ public String validatePostLogoutRedirectUri(SessionId sessionId, String postLogo
     }
 
     public String validatePostLogoutRedirectUri(String postLogoutRedirectUri, String[] allowedPostLogoutRedirectUris) {
-        if (appConfiguration.getAllowPostLogoutRedirectWithoutValidation()) {
+        if (BooleanUtils.isTrue(appConfiguration.getAllowPostLogoutRedirectWithoutValidation())) {
             return postLogoutRedirectUri;
         }
 
@@ -226,7 +231,7 @@ public String validatePostLogoutRedirectUri(String postLogoutRedirectUri, String
     }
 
     public static Map<String, String> getParams(String uri) {
-        Map<String, String> params = new HashMap<String, String>();
+        Map<String, String> params = new HashMap<>();
 
         if (uri != null) {
             int paramsIndex = uri.indexOf("?");