Localhost redirect_uri validation bug

[dlehammer]

Describe the bug
Hi spring-authorization-server gurus,

The localhost validation erroneously triggers in the face of the suggested host value 127.0.0.1, ex:

localhost is not allowed for the redirect_uri (http%3A%2F%2F127.0.0.1%3A4200%2Flogin). Use the IP literal (127.0.0.1) instead.

Unfortunately it took unreasonable time to pin down the root cause, as no errors was present in the logs even on TRACE-level and the symptom only manifested itself by caching the error-wrapped request instead of the expected request, ex:

2022-08-03 15:09:40.987 DEBUG 34689 --- [o-auto-1-exec-3] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:44303/error?scope=openid&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%3A4200%2Fdebug&state=.SNIP..

This behavior subsequently breaks the auth-flow, as the user is authenticated at this time but the cached request invalid.

Ie. the auth-flow worked as expected for redirect_uri https://oidcdebugger.com/debug , resulting in quite the head scratching and gnashing of teeth :/

To Reproduce

1. Register a authorization_code client with a redirect_uri like http://127.0.0.1:4200/login
2. Perform the authorization_code flow

Notice how requestedRedirectHost is null (orange arrows), triggering the first condition on line 598:

Expected behavior

The suggested redirect_uri host value 127.0.0.1 is accepted by the validation.

Plus another plea for logging of server-side (validation) errors (see also #159)

Sample
N/A ~ should be possible to prevent regression with unit-test ~ consider also covering a regular IP address.

[dlehammer]

Bah, was a case of RestTemplate implicitly double URL-encoding the location query-parameters :/

But my plea for debug logging still stands 🙏