providers/oauth2: allow blank redirect_uris to allow any redirect_uri
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
		| @ -67,7 +67,7 @@ class TestAuthorize(OAuthTestCase): | ||||
|             ) | ||||
|             OAuthAuthorizationParams.from_request(request) | ||||
|  | ||||
|     def test_redirect_uri(self): | ||||
|     def test_invalid_redirect_uri(self): | ||||
|         """test missing/invalid redirect URI""" | ||||
|         OAuth2Provider.objects.create( | ||||
|             name="test", | ||||
| @ -91,6 +91,28 @@ class TestAuthorize(OAuthTestCase): | ||||
|             ) | ||||
|             OAuthAuthorizationParams.from_request(request) | ||||
|  | ||||
|     def test_empty_redirect_uri(self): | ||||
|         """test empty redirect URI (configure in provider)""" | ||||
|         OAuth2Provider.objects.create( | ||||
|             name="test", | ||||
|             client_id="test", | ||||
|             authorization_flow=Flow.objects.first(), | ||||
|         ) | ||||
|         with self.assertRaises(RedirectUriError): | ||||
|             request = self.factory.get( | ||||
|                 "/", data={"response_type": "code", "client_id": "test"} | ||||
|             ) | ||||
|             OAuthAuthorizationParams.from_request(request) | ||||
|         request = self.factory.get( | ||||
|             "/", | ||||
|             data={ | ||||
|                 "response_type": "code", | ||||
|                 "client_id": "test", | ||||
|                 "redirect_uri": "http://localhost", | ||||
|             }, | ||||
|         ) | ||||
|         OAuthAuthorizationParams.from_request(request) | ||||
|  | ||||
|     def test_response_type(self): | ||||
|         """test response_type""" | ||||
|         OAuth2Provider.objects.create( | ||||
|  | ||||
| @ -156,20 +156,23 @@ class OAuthAuthorizationParams: | ||||
|  | ||||
|     def check_redirect_uri(self): | ||||
|         """Redirect URI validation.""" | ||||
|         allowed_redirect_urls = self.provider.redirect_uris.split() | ||||
|         if not self.redirect_uri: | ||||
|             LOGGER.warning("Missing redirect uri.") | ||||
|             raise RedirectUriError("", self.provider.redirect_uris.split()) | ||||
|         if self.redirect_uri.lower() not in [ | ||||
|             x.lower() for x in self.provider.redirect_uris.split() | ||||
|         ]: | ||||
|             raise RedirectUriError("", allowed_redirect_urls) | ||||
|         if len(allowed_redirect_urls) < 1: | ||||
|             LOGGER.warning( | ||||
|                 "Provider has no allowed redirect_uri set, allowing all.", | ||||
|                 allow=self.redirect_uri.lower(), | ||||
|             ) | ||||
|             return | ||||
|         if self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]: | ||||
|             LOGGER.warning( | ||||
|                 "Invalid redirect uri", | ||||
|                 redirect_uri=self.redirect_uri, | ||||
|                 excepted=self.provider.redirect_uris.split(), | ||||
|             ) | ||||
|             raise RedirectUriError( | ||||
|                 self.redirect_uri, self.provider.redirect_uris.split() | ||||
|                 excepted=allowed_redirect_urls, | ||||
|             ) | ||||
|             raise RedirectUriError(self.redirect_uri, allowed_redirect_urls) | ||||
|         if self.request: | ||||
|             raise AuthorizeError( | ||||
|                 self.redirect_uri, "request_not_supported", self.grant_type, self.state | ||||
|  | ||||
							
								
								
									
										12
									
								
								web/package-lock.json
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										12
									
								
								web/package-lock.json
									
									
									
										generated
									
									
									
								
							| @ -61,12 +61,13 @@ | ||||
|                 "typescript": "^4.3.5", | ||||
|                 "webcomponent-qr-code": "^1.0.5", | ||||
|                 "yaml": "^1.10.2" | ||||
|             } | ||||
|             }, | ||||
|             "devDependencies": {} | ||||
|         }, | ||||
|         "api": { | ||||
|             "name": "authentik-api", | ||||
|             "version": "0.0.1", | ||||
|             "dependencies": { | ||||
|             "version": "1.0.0", | ||||
|             "devDependencies": { | ||||
|                 "typescript": "^3.6" | ||||
|             } | ||||
|         }, | ||||
| @ -74,6 +75,7 @@ | ||||
|             "version": "3.9.9", | ||||
|             "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.9.tgz", | ||||
|             "integrity": "sha512-kdMjTiekY+z/ubJCATUPlRDl39vXYiMV9iyeMuEuXZh2we6zz80uovNN2WlAxmmdE/Z/YQe+EbOEXB5RHEED3w==", | ||||
|             "dev": true, | ||||
|             "bin": { | ||||
|                 "tsc": "bin/tsc", | ||||
|                 "tsserver": "bin/tsserver" | ||||
| @ -9305,6 +9307,7 @@ | ||||
|                 "@babel/types": "^7.11.5", | ||||
|                 "@lingui/babel-plugin-extract-messages": "^3.10.2", | ||||
|                 "@lingui/conf": "^3.10.2", | ||||
|                 "babel-plugin-macros": "^3.0.1", | ||||
|                 "bcp-47": "^1.0.7", | ||||
|                 "chalk": "^4.1.0", | ||||
|                 "chokidar": "3.5.1", | ||||
| @ -10204,7 +10207,8 @@ | ||||
|                 "typescript": { | ||||
|                     "version": "3.9.9", | ||||
|                     "resolved": "https://registry.npmjs.org/typescript/-/typescript-3.9.9.tgz", | ||||
|                     "integrity": "sha512-kdMjTiekY+z/ubJCATUPlRDl39vXYiMV9iyeMuEuXZh2we6zz80uovNN2WlAxmmdE/Z/YQe+EbOEXB5RHEED3w==" | ||||
|                     "integrity": "sha512-kdMjTiekY+z/ubJCATUPlRDl39vXYiMV9iyeMuEuXZh2we6zz80uovNN2WlAxmmdE/Z/YQe+EbOEXB5RHEED3w==", | ||||
|                     "dev": true | ||||
|                 } | ||||
|             } | ||||
|         }, | ||||
|  | ||||
| @ -1832,6 +1832,10 @@ msgstr "If enabled, use the local connection. Required Docker socket/Kubernetes | ||||
| msgid "If left empty, authentik will try to extract the launch URL based on the selected provider." | ||||
| msgstr "If left empty, authentik will try to extract the launch URL based on the selected provider." | ||||
|  | ||||
| #: src/pages/providers/oauth2/OAuth2ProviderForm.ts | ||||
| msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." | ||||
| msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed." | ||||
|  | ||||
| #: src/pages/tenants/TenantForm.ts | ||||
| msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown." | ||||
| msgstr "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown." | ||||
|  | ||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -117,6 +117,9 @@ export class OAuth2ProviderFormPage extends ModelForm<OAuth2Provider, number> { | ||||
|                         <p class="pf-c-form__helper-text"> | ||||
|                             ${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.`} | ||||
|                         </p> | ||||
|                         <p class="pf-c-form__helper-text"> | ||||
|                             ${t`If no explicit redirect URIs are specified, any redirect URI is allowed.`} | ||||
|                         </p> | ||||
|                     </ak-form-element-horizontal> | ||||
|                 </div> | ||||
|             </ak-form-group> | ||||
|  | ||||
		Reference in New Issue
	
	Block a user
	 Jens Langhammer
					Jens Langhammer