Skip to content

Commit

Permalink
No longer allow desktop/mobile redirect URIs implicitly if RedirectUR…
Browse files Browse the repository at this point in the history 
…Is is set

Signed-off-by: Martin Heide <martin.heide@faro.com>
  • Loading branch information
@heidemn-faro
heidemn-faro committed Nov 2, 2020
1 parent c15e288 commit 162073b
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 7 deletions.
5 changes: 3 additions & 2 deletions server/oauth2.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -595,8 +595,9 @@ func validateRedirectURI(client storage.Client, redirectURI string) bool {
return true
}
}
// For non-public clients, only named RedirectURIs are allowed.
if !client.Public {
// For non-public clients or when RedirectURIs is set, we allow only explicitly named RedirectURIs.
// Otherwise, we check below for special URIs used for desktop or mobile apps.
if !client.Public || len(client.RedirectURIs) > 0 {
return false
}

Expand Down
51 changes: 46 additions & 5 deletions server/oauth2_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -395,45 +395,86 @@ func TestValidRedirectURI(t *testing.T) {
redirectURI: "http://foo.com/bar/baz",
wantValid: false,
},
// These special desktop + device + localhost URIs are allowed even when RedirectURIs is non-empty.
// These special desktop + device + localhost URIs are not allowed implicitly when RedirectURIs is non-empty.
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "urn:ietf:wg:oauth:2.0:oob",
wantValid: true,
wantValid: false,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "/device/callback",
wantValid: true,
wantValid: false,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "http://localhost:8080/",
wantValid: true,
wantValid: false,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "http://localhost:991/bar",
wantValid: true,
wantValid: false,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar"},
},
redirectURI: "http://localhost",
wantValid: false,
},
// These special desktop + device + localhost URIs can still be specified explicitly.
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "urn:ietf:wg:oauth:2.0:oob"},
},
redirectURI: "urn:ietf:wg:oauth:2.0:oob",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "/device/callback"},
},
redirectURI: "/device/callback",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "http://localhost:8080/"},
},
redirectURI: "http://localhost:8080/",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "http://localhost:991/bar"},
},
redirectURI: "http://localhost:991/bar",
wantValid: true,
},
{
client: storage.Client{
Public: true,
RedirectURIs: []string{"http://foo.com/bar", "http://localhost"},
},
redirectURI: "http://localhost",
wantValid: true,
},
// Non-localhost URIs are not allowed implicitly.
Expand Down

0 comments on commit 162073b

Please sign in to comment.