-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth0EndSessionEndpoint mangles URLs #221
Comments
The method is designed to work on paths not full URIs. Looking for usages the only place it seems to be being incorrectly used is |
Well, that is certainly not correct. I did not mis-use the method, this is a bug entirely in the Micronaut code. I only found the erroneous output when debugging why my OAuth/Auth0 integration was not working as expected for logout. As described in your own OAuth Security Guide docs (https://micronaut-projects.github.io/micronaut-security/latest/guide/#oauth) I set the The description in Table 1 of Section 11.3.1.2.1 says:
I'm using the Auth0 OAuth configuration with an EndSession handler. That results in the class This is the method
The value of As described in my original post, this results in So, long story short, this is a serious bug in your code, the Auth0 EndSession handler is broken. Please fix it. I also suggest you take a closer look at all the other places this method is called and make sure they're not passing parameters that result in bad URLs as well. Thanks you. |
I never implied you misused the API it is indeed a bug and thanks for the report. I would encourage you to communicate with Open Source maintainers in a less passive aggressive tone however. Also PRs welcome. |
Hmm. When I clearly describe a problem, with an example, and point at the exact place where the bug exists, and you reply with:
That sure seems like you're telling me I'm wrong and there is no bug. If I misunderstood what you meant to say, I apologize for that. I would encourage you to communicate with Bug Reporters in less ambiguous language. Thank you. |
I observed that the URL location returned from the Auth0 EndSession handler was malformed, which caused OAuth logout operations to not work properly. The URL I saw in the redirect response was:
https:/mydomain.com/v2/logout
Note the single slash after https.
After much digging into the Micronaut code, I determined that the URL being generated in
Auth0EndSessionEndpoint.getUrl()
was the source of the problem. The configured Auth0 issuer URL was correct:https://mydomain.com
.A quick test showed that
StringUtils.prependUri()
was the culprit (in Groovy):Yields:
https:/mydomain.com/v2/logout
Of course it should be:
https://mydomain.com/v2/logout
That's some broken code right there.
My IDE tells me that there are eight places where
StringUtils.prependUri
is called, includingDefaultHttpClient
, which is a bit worrying.Environment Information
The text was updated successfully, but these errors were encountered: