providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-01-12 22:19:59 +01:00
parent f9a5add01d
commit 4d7d700afa
7 changed files with 64 additions and 20 deletions

View file

@ -99,7 +99,7 @@ class OAuthAuthorizationParams:
# and POST request. # and POST request.
query_dict = request.POST if request.method == "POST" else request.GET query_dict = request.POST if request.method == "POST" else request.GET
state = query_dict.get("state") state = query_dict.get("state")
redirect_uri = query_dict.get("redirect_uri", "") redirect_uri = query_dict.get("redirect_uri", "").lower()
response_type = query_dict.get("response_type", "") response_type = query_dict.get("response_type", "")
grant_type = None grant_type = None
@ -156,13 +156,20 @@ class OAuthAuthorizationParams:
if not self.redirect_uri: if not self.redirect_uri:
LOGGER.warning("Missing redirect uri.") LOGGER.warning("Missing redirect uri.")
raise RedirectUriError("", allowed_redirect_urls) raise RedirectUriError("", allowed_redirect_urls)
if len(allowed_redirect_urls) < 1:
if self.provider.redirect_uris == "":
LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
self.provider.redirect_uris = self.redirect_uri
self.provider.save()
allowed_redirect_urls = self.provider.redirect_uris.split()
if self.provider.redirect_uris == "*":
LOGGER.warning( LOGGER.warning(
"Provider has no allowed redirect_uri set, allowing all.", "Provider has wildcard allowed redirect_uri set, allowing all.",
allow=self.redirect_uri.lower(), allow=self.redirect_uri,
) )
return return
if self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]: if self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
LOGGER.warning( LOGGER.warning(
"Invalid redirect uri", "Invalid redirect uri",
redirect_uri=self.redirect_uri, redirect_uri=self.redirect_uri,

View file

@ -66,7 +66,7 @@ class TokenParams:
provider=provider, provider=provider,
client_id=client_id, client_id=client_id,
client_secret=client_secret, client_secret=client_secret,
redirect_uri=request.POST.get("redirect_uri", ""), redirect_uri=request.POST.get("redirect_uri", "").lower(),
grant_type=request.POST.get("grant_type", ""), grant_type=request.POST.get("grant_type", ""),
state=request.POST.get("state", ""), state=request.POST.get("state", ""),
scope=request.POST.get("scope", "").split(), scope=request.POST.get("scope", "").split(),
@ -123,21 +123,23 @@ class TokenParams:
LOGGER.warning("Invalid grant type", grant_type=self.grant_type) LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
raise TokenError("unsupported_grant_type") raise TokenError("unsupported_grant_type")
def __post_init_code(self, raw_code): def __post_init_code(self, raw_code: str):
if not raw_code: if not raw_code:
LOGGER.warning("Missing authorization code") LOGGER.warning("Missing authorization code")
raise TokenError("invalid_grant") raise TokenError("invalid_grant")
allowed_redirect_urls = self.provider.redirect_uris.split() allowed_redirect_urls = self.provider.redirect_uris.split()
if len(allowed_redirect_urls) < 1: if self.provider.redirect_uris == "*":
LOGGER.warning( LOGGER.warning(
"Provider has no allowed redirect_uri set, allowing all.", "Provider has wildcard allowed redirect_uri set, allowing all.",
allow=self.redirect_uri.lower(), redirect=self.redirect_uri,
) )
elif self.redirect_uri.lower() not in [x.lower() for x in allowed_redirect_urls]: # At this point, no provider should have a blank redirect_uri, in case they do
# this will check an empty array and raise an error
elif self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
LOGGER.warning( LOGGER.warning(
"Invalid redirect uri", "Invalid redirect uri",
uri=self.redirect_uri, redirect=self.redirect_uri,
expected=self.provider.redirect_uris.split(), expected=self.provider.redirect_uris.split(),
) )
raise TokenError("invalid_client") raise TokenError("invalid_client")

View file

@ -2382,8 +2382,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
msgstr "If multiple providers share an outpost, a self-signed certificate is used." msgstr "If multiple providers share an outpost, a self-signed certificate is used."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." #~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed." #~ msgstr "If no explicit redirect URIs are specified, any redirect URI is allowed."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
msgstr "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
#: src/pages/tenants/TenantForm.ts #: src/pages/tenants/TenantForm.ts
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown." msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
@ -5187,6 +5191,10 @@ msgstr "Title"
msgid "To" msgid "To"
msgstr "To" msgstr "To"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
msgstr "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
#: src/pages/users/UserViewPage.ts #: src/pages/users/UserViewPage.ts
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured." msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
msgstr "To create a recovery link, the current tenant needs to have a recovery flow configured." msgstr "To create a recovery link, the current tenant needs to have a recovery flow configured."

View file

@ -2366,8 +2366,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
msgstr "Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé." msgstr "Si plusieurs fournisseurs partagent un avant-poste, un certificat auto-signé est utilisé."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." #~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé." #~ msgstr "Si aucune URL de redirection explicite n'est spécifié, toute URL de redirection est autorisé."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
msgstr ""
#: src/pages/tenants/TenantForm.ts #: src/pages/tenants/TenantForm.ts
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown." msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
@ -5131,6 +5135,10 @@ msgstr "Titre"
msgid "To" msgid "To"
msgstr "À" msgstr "À"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
msgstr ""
#: src/pages/users/UserViewPage.ts #: src/pages/users/UserViewPage.ts
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured." msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
msgstr "Pour créer un lien de récupération, le locataire actuel doit avoir un flux de récupération configuré." msgstr "Pour créer un lien de récupération, le locataire actuel doit avoir un flux de récupération configuré."

View file

@ -2374,7 +2374,11 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
msgstr "" msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." #~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
#~ msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
msgstr "" msgstr ""
#: src/pages/tenants/TenantForm.ts #: src/pages/tenants/TenantForm.ts
@ -5167,6 +5171,10 @@ msgstr ""
msgid "To" msgid "To"
msgstr "" msgstr ""
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
msgstr ""
#: src/pages/users/UserViewPage.ts #: src/pages/users/UserViewPage.ts
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured." msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
msgstr "" msgstr ""

View file

@ -2337,8 +2337,12 @@ msgid "If multiple providers share an outpost, a self-signed certificate is used
msgstr "Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır." msgstr "Birden çok sağlayıcı bir üssü paylaşıyorsa, otomatik olarak imzalanan bir sertifika kullanılır."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts #: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "If no explicit redirect URIs are specified, any redirect URI is allowed." #~ msgid "If no explicit redirect URIs are specified, any redirect URI is allowed."
msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir." #~ msgstr "Açık bir yeniden yönlendirme URI'leri belirtilmezse, herhangi bir yeniden yönlendirme URI'sine izin verilir."
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved."
msgstr ""
#: src/pages/tenants/TenantForm.ts #: src/pages/tenants/TenantForm.ts
msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown." msgid "If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown."
@ -5076,6 +5080,10 @@ msgstr "Başlık"
msgid "To" msgid "To"
msgstr "Kime" msgstr "Kime"
#: src/pages/providers/oauth2/OAuth2ProviderForm.ts
msgid "To allow any redirect URI, set this value to \"*\". Be aware of the possible security implications this can have."
msgstr ""
#: src/pages/users/UserViewPage.ts #: src/pages/users/UserViewPage.ts
msgid "To create a recovery link, the current tenant needs to have a recovery flow configured." msgid "To create a recovery link, the current tenant needs to have a recovery flow configured."
msgstr "Kurtarma bağlantısı oluşturmak için geçerli sakinin yapılandırılmış bir kurtarma akışı olması gerekir." msgstr "Kurtarma bağlantısı oluşturmak için geçerli sakinin yapılandırılmış bir kurtarma akışı olması gerekir."

View file

@ -171,7 +171,10 @@ ${this.instance?.redirectUris}</textarea
${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.`} ${t`Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.`}
</p> </p>
<p class="pf-c-form__helper-text"> <p class="pf-c-form__helper-text">
${t`If no explicit redirect URIs are specified, any redirect URI is allowed.`} ${t`If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.`}
</p>
<p class="pf-c-form__helper-text">
${t`To allow any redirect URI, set this value to "*". Be aware of the possible security implications this can have.`}
</p> </p>
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-form-element-horizontal label=${t`Signing Key`} name="signingKey"> <ak-form-element-horizontal label=${t`Signing Key`} name="signingKey">