Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fix DefaultOAuth2AuthorizationRequestResolver baseUrl excludes queryParams

To create redirect_uri in DefaultOAuth2AuthorizationRequestResolver,
queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate,
the wrong type of redirect_uri may be created.

Fixes gh-5520
mhyeon.lee 7 years ago
parent
884fdbf9b3
commit
191a4760f9
2 changed files with 17 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
  2. 16 0
      oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java

+ 1 - 0
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
View File 

@@ -155,6 +155,7 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au
 
 		Map<String, String> uriVariables = new HashMap<>();
 
 		uriVariables.put("registrationId", clientRegistration.getRegistrationId());
 
 		String baseUrl = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
 
+				.replaceQuery(null)
 
 				.replacePath(request.getContextPath())
 
 				.build()
 
 				.toUriString();

+ 16 - 0
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java
View File 

@@ -163,6 +163,22 @@ public class DefaultOAuth2AuthorizationRequestResolverTests {
 
 				"http://localhost/login/oauth2/code/" + clientRegistration.getRegistrationId());
 
 	}
 
 
+	// gh-5520
 
+	@Test
 
+	public void resolveWhenAuthorizationRequestRedirectUriTemplatedThenRedirectUriExpandedExcludesQueryString() {
 
+		ClientRegistration clientRegistration = this.registration2;
 
+		String requestUri = this.authorizationRequestBaseUri + "/" + clientRegistration.getRegistrationId();
 
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
 
+		request.setServletPath(requestUri);
 
+		request.setQueryString("foo=bar");
 
+
 
+		OAuth2AuthorizationRequest authorizationRequest = this.resolver.resolve(request);
 
+		assertThat(authorizationRequest.getRedirectUri()).isNotEqualTo(
 
+				clientRegistration.getRedirectUriTemplate());
 
+		assertThat(authorizationRequest.getRedirectUri()).isEqualTo(
 
+				"http://localhost/login/oauth2/code/" + clientRegistration.getRegistrationId());
 
+	}
 
+
 
 	@Test
 
 	public void resolveWhenAuthorizationRequestIncludesPort80ThenExpandedRedirectUriExcludesPort() {
 
 		ClientRegistration clientRegistration = this.registration1;