Skip to content

Fix verification_uri in device authorization response when context path exists #1729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

Fix verification_uri in device authorization response when context path exists #1729

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b1e0b65
#1714: Invalid verification_uri in device authorization response when…
Sep 25, 2024
21c58a4
Strip of the query part when building the verification URI
Sep 25, 2024
ff3bc96
Move building of verification URI to internal method using RedirectUr…
Oct 2, 2024
893b6d2
Add test for device authentication request with context path set
Oct 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 15 additions & 3 deletions ...ork/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.util.RedirectUrlBuilder;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
Expand Down Expand Up @@ -220,9 +221,7 @@ private void sendDeviceAuthorizationResponse(HttpServletRequest request, HttpSer
OAuth2UserCode userCode = deviceAuthorizationRequestAuthentication.getUserCode();

// Generate the fully-qualified verification URI
UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder
.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
.replacePath(this.verificationUri);
UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromUriString(resolveVerificationUri(request));
String verificationUri = uriComponentsBuilder.build().toUriString();
// @formatter:off
String verificationUriComplete = uriComponentsBuilder
Expand All @@ -242,4 +241,17 @@ private void sendDeviceAuthorizationResponse(HttpServletRequest request, HttpSer
this.deviceAuthorizationHttpResponseConverter.write(deviceAuthorizationResponse, null, httpResponse);
}

private String resolveVerificationUri(HttpServletRequest request) {
if (UrlUtils.isAbsoluteUrl(this.verificationUri)) {
return this.verificationUri;
}
RedirectUrlBuilder urlBuilder = new RedirectUrlBuilder();
urlBuilder.setScheme(request.getScheme());
urlBuilder.setServerName(request.getServerName());
urlBuilder.setPort(request.getServerPort());
urlBuilder.setContextPath(request.getContextPath());
urlBuilder.setPathInfo(this.verificationUri);
return urlBuilder.getUrl();
}

}
33 changes: 33 additions & 0 deletions ...ecurity/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilterTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,39 @@ public void doFilterWhenDeviceAuthorizationRequestThenDeviceAuthorizationRespons
assertThat(deviceCode.getExpiresAt()).isAfter(deviceCode.getIssuedAt());
}

@Test
public void doFilterWhenDeviceAuthorizationRequestWithContextPathThenDeviceAuthorizationResponse() throws Exception {
Authentication authenticationResult = createAuthentication();
given(this.authenticationManager.authenticate(any(Authentication.class))).willReturn(authenticationResult);

Authentication clientPrincipal = (Authentication) authenticationResult.getPrincipal();
mockSecurityContext(clientPrincipal);

MockHttpServletRequest request = createRequest();
request.setContextPath("/contextPath");
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class);
this.filter.doFilter(request, response, filterChain);
assertThat(response.getStatus()).isEqualTo(HttpStatus.OK.value());

ArgumentCaptor<OAuth2DeviceAuthorizationRequestAuthenticationToken> deviceAuthorizationRequestAuthenticationCaptor = ArgumentCaptor
.forClass(OAuth2DeviceAuthorizationRequestAuthenticationToken.class);
verify(this.authenticationManager).authenticate(deviceAuthorizationRequestAuthenticationCaptor.capture());
verifyNoInteractions(filterChain);

OAuth2DeviceAuthorizationResponse deviceAuthorizationResponse = readDeviceAuthorizationResponse(response);
String verificationUri = ISSUER_URI + "/contextPath" + VERIFICATION_URI;
assertThat(deviceAuthorizationResponse.getVerificationUri()).isEqualTo(verificationUri);
assertThat(deviceAuthorizationResponse.getVerificationUriComplete())
.isEqualTo("%s?%s=%s".formatted(verificationUri, OAuth2ParameterNames.USER_CODE, USER_CODE));
OAuth2DeviceCode deviceCode = deviceAuthorizationResponse.getDeviceCode();
assertThat(deviceCode.getTokenValue()).isEqualTo(DEVICE_CODE);
assertThat(deviceCode.getExpiresAt()).isAfter(deviceCode.getIssuedAt());
OAuth2UserCode userCode = deviceAuthorizationResponse.getUserCode();
assertThat(userCode.getTokenValue()).isEqualTo(USER_CODE);
assertThat(deviceCode.getExpiresAt()).isAfter(deviceCode.getIssuedAt());
}

@Test
public void doFilterWhenInvalidRequestErrorThenBadRequest() throws Exception {
AuthenticationConverter authenticationConverter = mock(AuthenticationConverter.class);
Expand Down