-
-
Notifications
You must be signed in to change notification settings - Fork 356
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: make redirect URL checking more strict
The OAuth 2.0 Client's Redirect URL and the Redirect URL used in the OAuth 2.0 flow do not check if the query string is equal: 1. Registering a client with allowed redirect URL `https://example.com/callback` 2. Performing OAuth2 flow and requesting redirect URL `https://example.com/callback?bar=foo` 3. Instead of an error, the browser is redirected to `https://example.com/callback?bar=foo` with a potentially successful OAuth2 response. Additionally, matching Redirect URLs used `strings.ToLower` normalization: 1. Registering a client with allowed redirect URL `https://example.com/callback` 2. Performing OAuth2 flow and requesting redirect URL `https://example.com/CALLBACK` 3. Instead of an error, the browser is redirected to `https://example.com/CALLBACK ` with a potentially successful OAuth2 response. This patch addresses all of these issues and adds regression tests to keep the implementation secure in future releases.
- Loading branch information
Showing
3 changed files
with
61 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters