Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

OAuth2AuthorizationCodeGrantWebFilter should not restrict redirect-uri

See original GitHub issue

OAuth2AuthorizationCodeGrantWebFilter currently matches the Authorization Response using the pattern /{action}/oauth2/code/{registrationId}, which is too restrictive.

We should allow the client to configure the redirect-uri to be any URI within the application. The Authorization Response matching should follow the same logic found in OAuth2AuthorizationCodeGrantFilter.shouldProcessAuthorizationResponse().

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:10 (10 by maintainers)

github_iconTop GitHub Comments

1reaction
jgrandjacommented, Jul 8, 2019

@clementkng

If I create a new ClientRegistration.Builder method (ie ClientRegistration.Builder clientRegistration3()

It’s not necessary to create a new method. Just re-use what’s there like this

ClientRegistration registration = TestClientRegistrations.clientRegistration().redirectUriTemplate("/callback") .build();
OAuth2AuthorizationExchange exchange = TestOAuth2AuthorizationExchanges.success();
OAuth2AuthorizationCodeAuthenticationToken authenticationToken = new OAuth2AuthorizationCodeAuthenticationToken(registration, exchange);

Yes, you will need to change get("/authorize/oauth2/code/registration-id") to get("/callback")

1reaction
jgrandjacommented, Jun 29, 2019

@clementkng I would recommend reviewing the Authorization Code Grant flow in the spec. The section Authorization Response is implemented by OAuth2AuthorizationCodeGrantFilter and OAuth2AuthorizationCodeGrantWebFilter.

After you review the spec and gain a solid understanding of the authorization_code grant flow than I believe the code will be more clear.

How would a client be able to set the redirect-URI to be any in the application

Go through these steps for oauth2Login() and you’ll see how to configure the redirect-uri for the client. The same steps apply for oauth2Client().authorizationGrant()

Read more comments on GitHub >

github_iconTop Results From Across the Web

Error AADSTS50011 the redirect URI not match the redirect ...
Go to the Authentication blade of your application in the Azure portal. You can open the page directly by inserting your application ID...
Read more >
Spring security Oauth2 Redirect URI setting is ignored when ...
It seems your application.properties file is not being picked up. Try setting something simple, like server.port=9000 in the application.
Read more >
OAuth 2.0 Security Best Current Practice - IETF
If the user does not see the redirect URI or does not recognize the attack, the code is issued and immediately sent to...
Read more >
Prevent Attacks and Redirect Users with OAuth 2.0 State ...
Encode any desired state (like the redirect URL) along with the nonce in a protected message (that will need to be encrypted/signed to...
Read more >
What is the limit of redirect_uri(s) in an OIDC app ?
There is a limit of approx 56324 characters for redirect_uri(s) in an OIDC app. The number of redirect_uri(s) can not go beyond this...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Can't use a custom authorization grant type in a ClientRegistration

Next page

Make RestTemplate used by ClientRegistrations (Discovery) configurable