Inicio Explorar Ayuda
Registro Iniciar sesión
github
/
spring-authorization-server
espejo de https://github.com/spring-projects/spring-authorization-server
2
0
Fork 0
Archivos Incidencias 0 Wiki
Explorar el Código

Merge branch '0.4.x'

Closes gh-1074
Joe Grandja hace 2 años
padre
32022c120c 30927ad5e7
commit
56918b9b48
Se han modificado 3 ficheros con 26 adiciones y 20 borrados
Dividir vista Mostrar estadísticas de diff
  1. 10 15
      oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java
  2. 9 3
      oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java
  3. 7 2
      oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java

+ 10 - 15
oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java
Ver fichero 

@@ -1,5 +1,5 @@
 
 /*
 
- * Copyright 2020-2022 the original author or authors.
 
+ * Copyright 2020-2023 the original author or authors.
 
  *
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * you may not use this file except in compliance with the License.
 
@@ -18,9 +18,7 @@ package org.springframework.security.oauth2.server.authorization.web;
 
 import java.io.IOException;
 
 import java.nio.charset.StandardCharsets;
 
 import java.util.Arrays;
 
-import java.util.HashMap;
 
 import java.util.HashSet;
 
-import java.util.Map;
 
 import java.util.Set;
 
 
 import jakarta.servlet.FilterChain;
 
@@ -67,6 +65,7 @@ import org.springframework.util.Assert;
 
 import org.springframework.util.StringUtils;
 
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import org.springframework.web.util.UriComponentsBuilder;
 
+import org.springframework.web.util.UriUtils;
 
 
 /**
 
  * A {@code Filter} for the OAuth 2.0 Authorization Code Grant,
 
@@ -301,13 +300,11 @@ public final class OAuth2AuthorizationEndpointFilter extends OncePerRequestFilte
 
 				.queryParam(OAuth2ParameterNames.CODE, authorizationCodeRequestAuthentication.getAuthorizationCode().getTokenValue());
 
 		String redirectUri;
 
 		if (StringUtils.hasText(authorizationCodeRequestAuthentication.getState())) {
 
-			uriBuilder.queryParam(OAuth2ParameterNames.STATE, "{state}");
 
-			Map<String, String> queryParams = new HashMap<>();
 
-			queryParams.put(OAuth2ParameterNames.STATE, authorizationCodeRequestAuthentication.getState());
 
-			redirectUri = uriBuilder.build(queryParams).toString();
 
-		} else {
 
-			redirectUri = uriBuilder.toUriString();
 
+			uriBuilder.queryParam(
 
+					OAuth2ParameterNames.STATE,
 
+					UriUtils.encode(authorizationCodeRequestAuthentication.getState(), StandardCharsets.UTF_8));
 
 		}
 
+		redirectUri = uriBuilder.build(true).toUriString();		// build(true) -> Components are explicitly encoded
 
 		this.redirectStrategy.sendRedirect(request, response, redirectUri);
 
 	}
 
 
@@ -341,13 +338,11 @@ public final class OAuth2AuthorizationEndpointFilter extends OncePerRequestFilte
 
 		}
 
 		String redirectUri;
 
 		if (StringUtils.hasText(authorizationCodeRequestAuthentication.getState())) {
 
-			uriBuilder.queryParam(OAuth2ParameterNames.STATE, "{state}");
 
-			Map<String, String> queryParams = new HashMap<>();
 
-			queryParams.put(OAuth2ParameterNames.STATE, authorizationCodeRequestAuthentication.getState());
 
-			redirectUri = uriBuilder.build(queryParams).toString();
 
-		} else {
 
-			redirectUri = uriBuilder.toUriString();
 
+			uriBuilder.queryParam(
 
+					OAuth2ParameterNames.STATE,
 
+					UriUtils.encode(authorizationCodeRequestAuthentication.getState(), StandardCharsets.UTF_8));
 
 		}
 
+		redirectUri = uriBuilder.build(true).toUriString();		// build(true) -> Components are explicitly encoded
 
 		this.redirectStrategy.sendRedirect(request, response, redirectUri);
 
 	}

+ 9 - 3
oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java
Ver fichero 

@@ -287,7 +287,12 @@ public class OAuth2AuthorizationCodeGrantTests {
 
 	}
 
 
 	private void assertAuthorizationRequestRedirectsToClient(String authorizationEndpointUri) throws Exception {
 
-		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
 
+				.redirectUris(redirectUris -> {
 
+					redirectUris.clear();
 
+					redirectUris.add("https://example.com/callback-1?param=encoded%20parameter%20value");	// gh-1011
 
+				})
 
+				.build();
 
 		this.registeredClientRepository.save(registeredClient);
 
 
 		MultiValueMap<String, String> authorizationRequestParameters = getAuthorizationRequestParameters(registeredClient);
 
@@ -297,8 +302,9 @@ public class OAuth2AuthorizationCodeGrantTests {
 
 				.andExpect(status().is3xxRedirection())
 
 				.andReturn();
 
 		String redirectedUrl = mvcResult.getResponse().getRedirectedUrl();
 
-		String expectedRedirectUri = authorizationRequestParameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
 
-		assertThat(redirectedUrl).matches(expectedRedirectUri + "\\?code=.{15,}&state=" + STATE_URL_ENCODED);
 
+		String redirectUri = authorizationRequestParameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
 
+		String code = extractParameterFromRedirectUri(redirectedUrl, "code");
 
+		assertThat(redirectedUrl).isEqualTo(redirectUri + "&code=" + code + "&state=" + STATE_URL_ENCODED);
 
 
 		String authorizationCode = extractParameterFromRedirectUri(redirectedUrl, "code");
 
 		OAuth2Authorization authorization = this.authorizationService.findByToken(authorizationCode, AUTHORIZATION_CODE_TOKEN_TYPE);

+ 7 - 2
oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java
Ver fichero 

@@ -537,7 +537,12 @@ public class OAuth2AuthorizationEndpointFilterTests {
 
 
 	@Test
 
 	public void doFilterWhenAuthorizationRequestAuthenticatedThenAuthorizationResponse() throws Exception {
 
-		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
 
+				.redirectUris(redirectUris -> {
 
+					redirectUris.clear();
 
+					redirectUris.add("https://example.com?param=encoded%20parameter%20value");
 
+				})
 
+				.build();
 
 		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthenticationResult =
 
 				new OAuth2AuthorizationCodeRequestAuthenticationToken(
 
 						AUTHORIZATION_URI, registeredClient.getClientId(), principal, this.authorizationCode,
 
@@ -563,7 +568,7 @@ public class OAuth2AuthorizationEndpointFilterTests {
 
 				.isEqualTo(REMOTE_ADDRESS);
 
 		assertThat(response.getStatus()).isEqualTo(HttpStatus.FOUND.value());
 
 		assertThat(response.getRedirectedUrl()).isEqualTo(
 
-				request.getParameter(OAuth2ParameterNames.REDIRECT_URI) + "?code=code&state=state");
 
+				"https://example.com?param=encoded%20parameter%20value&code=code&state=state");
 
 	}
 
 
 	@Test