trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

providers/oauth2: fix redirect_uri being lowercased on successful validation 

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-02-14 23:04:00 +01:00
parent c7ed4f7ac1
commit 0973c74b9d
2 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
authentik/providers/oauth2/tests/test_authorize.py
View File

@ -43,7 +43,7 @@ class TestAuthorize(OAuthTestCase):
name="test",
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris="http://local.invalid/Foo",
)
with self.assertRaises(AuthorizeError):
request = self.factory.get(
@ -51,7 +51,7 @@ class TestAuthorize(OAuthTestCase):
data={
"response_type": "code",
"client_id": "test",
"redirect_uri": "http://local.invalid",
"redirect_uri": "http://local.invalid/Foo",
"request": "foo",
},
)
@ -105,26 +105,30 @@ class TestAuthorize(OAuthTestCase):
name="test",
client_id="test",
authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid",
redirect_uris="http://local.invalid/Foo",
)
request = self.factory.get(
"/",
data={
"response_type": "code",
"client_id": "test",
"redirect_uri": "http://local.invalid",
"redirect_uri": "http://local.invalid/Foo",
},
)
self.assertEqual(
OAuthAuthorizationParams.from_request(request).grant_type,
GrantTypes.AUTHORIZATION_CODE,
)
self.assertEqual(
OAuthAuthorizationParams.from_request(request).redirect_uri,
"http://local.invalid/Foo",
)
request = self.factory.get(
"/",
data={
"response_type": "id_token",
"client_id": "test",
"redirect_uri": "http://local.invalid",
"redirect_uri": "http://local.invalid/Foo",
"scope": "openid",
"state": "foo",
},
@ -140,7 +144,7 @@ class TestAuthorize(OAuthTestCase):
data={
"response_type": "id_token",
"client_id": "test",
"redirect_uri": "http://local.invalid",
"redirect_uri": "http://local.invalid/Foo",
"state": "foo",
},
)
@ -153,7 +157,7 @@ class TestAuthorize(OAuthTestCase):
data={
"response_type": "code token",
"client_id": "test",
"redirect_uri": "http://local.invalid",
"redirect_uri": "http://local.invalid/Foo",
"scope": "openid",
"state": "foo",
},
@ -167,7 +171,7 @@ class TestAuthorize(OAuthTestCase):
data={
"response_type": "invalid",
"client_id": "test",
"redirect_uri": "http://local.invalid",
"redirect_uri": "http://local.invalid/Foo",
},
)
OAuthAuthorizationParams.from_request(request)

9
authentik/providers/oauth2/views/authorize.py
View File

@ -100,7 +100,7 @@ class OAuthAuthorizationParams:
# and POST request.
query_dict = request.POST if request.method == "POST" else request.GET
state = query_dict.get("state")
redirect_uri = query_dict.get("redirect_uri", "").lower()
redirect_uri = query_dict.get("redirect_uri", "")
response_type = query_dict.get("response_type", "")
grant_type = None
@ -154,7 +154,10 @@ class OAuthAuthorizationParams:
def check_redirect_uri(self):
"""Redirect URI validation."""
allowed_redirect_urls = self.provider.redirect_uris.split()
if not self.redirect_uri:
# We don't want to actually lowercase the final URL we redirect to,
# we only lowercase it for comparsion
redirect_uri = self.redirect_uri.lower()
if not redirect_uri:
LOGGER.warning("Missing redirect uri.")
raise RedirectUriError("", allowed_redirect_urls)
@ -170,7 +173,7 @@ class OAuthAuthorizationParams:
allow=self.redirect_uri,
)
return
if self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
if redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
LOGGER.warning(
"Invalid redirect uri",
redirect_uri=self.redirect_uri,