handle issuers with issuer path correctly

Author: frederikz

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationEndpointConfigurer.java

@@ -15,16 +15,20 @@
  */
 package org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers;
 
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.util.function.Consumer;
 
 import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.oauth2.server.authorization.oidc.OidcProviderConfiguration;
 import org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter;
+import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.StringUtils;
 
 /**
  * Configurer for the OpenID Connect 1.0 Provider Configuration Endpoint.
@@ -35,6 +39,10 @@
  * @see OidcProviderConfigurationEndpointFilter
  */
 public final class OidcProviderConfigurationEndpointConfigurer extends AbstractOAuth2Configurer {
+	/**
+	 * The default endpoint {@code URI} for OpenID Provider Configuration requests.
+	 */
+	private static final String DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI = "/.well-known/openid-configuration";
 	private RequestMatcher requestMatcher;
 	private Consumer<OidcProviderConfiguration.Builder> providerConfigurationCustomizer;
 	private Consumer<OidcProviderConfiguration.Builder> defaultProviderConfigurationCustomizer;
@@ -70,13 +78,13 @@ void addDefaultProviderConfigurationCustomizer(
 	@Override
 	void init(HttpSecurity httpSecurity) {
 		this.requestMatcher = new AntPathRequestMatcher(
-				"/.well-known/openid-configuration", HttpMethod.GET.name());
+				getConfigurationEndpointUri(httpSecurity), HttpMethod.GET.name());
 	}
 
 	@Override
 	void configure(HttpSecurity httpSecurity) {
 		OidcProviderConfigurationEndpointFilter oidcProviderConfigurationEndpointFilter =
-				new OidcProviderConfigurationEndpointFilter();
+				new OidcProviderConfigurationEndpointFilter(getConfigurationEndpointUri(httpSecurity));
 		Consumer<OidcProviderConfiguration.Builder> providerConfigurationCustomizer = getProviderConfigurationCustomizer();
 		if (providerConfigurationCustomizer != null) {
 			oidcProviderConfigurationEndpointFilter.setProviderConfigurationCustomizer(providerConfigurationCustomizer);
@@ -105,4 +113,31 @@ RequestMatcher getRequestMatcher() {
 		return this.requestMatcher;
 	}
 
+	private String getConfigurationEndpointUri(HttpSecurity httpSecurity) {
+		return getIssuerPath(httpSecurity) + DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI;
+	}
+
+	private String getIssuerPath(HttpSecurity httpSecurity) {
+		AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils
+				.getAuthorizationServerSettings(httpSecurity);
+		String issuer = authorizationServerSettings.getIssuer();
+		if (StringUtils.hasText(issuer)) {
+			try {
+				URI issuerUri = new URI(issuer);
+				String path = issuerUri.getPath();
+				if (path == null) {
+					path = "";
+				} else if (path.endsWith("/")) {
+					path = path.substring(0, path.length() - 1);
+				}
+
+				return path;
+			} catch (URISyntaxException e) {
+				throw new RuntimeException("Error building configuration path", e);
+			}
+		} else {
+			return "";
+		}
+	}
+
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilter.java

@@ -54,18 +54,15 @@
  * @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest">4.1. OpenID Provider Configuration Request</a>
  */
 public final class OidcProviderConfigurationEndpointFilter extends OncePerRequestFilter {
-	/**
-	 * The default endpoint {@code URI} for OpenID Provider Configuration requests.
-	 */
-	private static final String DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI = "/.well-known/openid-configuration";
-
-	private final RequestMatcher requestMatcher = new AntPathRequestMatcher(
-			DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI,
-			HttpMethod.GET.name());
+	private final RequestMatcher requestMatcher;
 	private final OidcProviderConfigurationHttpMessageConverter providerConfigurationHttpMessageConverter =
 			new OidcProviderConfigurationHttpMessageConverter();
 	private Consumer<OidcProviderConfiguration.Builder> providerConfigurationCustomizer = (providerConfiguration) -> {};
 
+	public OidcProviderConfigurationEndpointFilter(String configurationEndpointUri) {
+		requestMatcher = new AntPathRequestMatcher(configurationEndpointUri, HttpMethod.GET.name());
+	}
+
 	/**
 	 * Sets the {@code Consumer} providing access to the {@link OidcProviderConfiguration.Builder}
 	 * allowing the ability to customize the claims of the OpenID Provider's configuration.

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java

@@ -62,7 +62,7 @@
  */
 @ExtendWith(SpringTestContextExtension.class)
 public class OidcProviderConfigurationTests {
-	private static final String DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI = "/.well-known/openid-configuration";
+	private static final String ISSUER1_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI = "/issuer1/.well-known/openid-configuration";
 	private static final String ISSUER_URL = "https://example.com/issuer1";
 
 	public final SpringTestContext spring = new SpringTestContext();
@@ -77,7 +77,7 @@ public class OidcProviderConfigurationTests {
 	public void requestWhenConfigurationRequestAndIssuerSetThenReturnDefaultConfigurationResponse() throws Exception {
 		this.spring.register(AuthorizationServerConfiguration.class).autowire();
 
-		this.mvc.perform(get(DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI))
+		this.mvc.perform(get(ISSUER1_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI))
 				.andExpect(status().is2xxSuccessful())
 				.andExpectAll(defaultConfigurationMatchers());
 	}
@@ -87,7 +87,7 @@ public void requestWhenConfigurationRequestAndIssuerSetThenReturnDefaultConfigur
 	public void requestWhenConfigurationRequestAndUserAuthenticatedThenReturnConfigurationResponse() throws Exception {
 		this.spring.register(AuthorizationServerConfiguration.class).autowire();
 
-		this.mvc.perform(get(DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI)
+		this.mvc.perform(get(ISSUER1_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI)
 				.with(user("user")))
 				.andExpect(status().is2xxSuccessful())
 				.andExpectAll(defaultConfigurationMatchers());
@@ -98,7 +98,7 @@ public void requestWhenConfigurationRequestAndUserAuthenticatedThenReturnConfigu
 	public void requestWhenConfigurationRequestAndConfigurationCustomizerSetThenReturnCustomConfigurationResponse() throws Exception {
 		this.spring.register(AuthorizationServerConfigurationWithProviderConfigurationCustomizer.class).autowire();
 
-		this.mvc.perform(get(DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI))
+		this.mvc.perform(get(ISSUER1_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI))
 				.andExpect(status().is2xxSuccessful())
 				.andExpect(jsonPath(OAuth2AuthorizationServerMetadataClaimNames.SCOPES_SUPPORTED,
 						hasItems(OidcScopes.OPENID, OidcScopes.PROFILE, OidcScopes.EMAIL)));
@@ -108,7 +108,7 @@ public void requestWhenConfigurationRequestAndConfigurationCustomizerSetThenRetu
 	public void requestWhenConfigurationRequestAndClientRegistrationEnabledThenConfigurationResponseIncludesRegistrationEndpoint() throws Exception {
 		this.spring.register(AuthorizationServerConfigurationWithClientRegistrationEnabled.class).autowire();
 
-		this.mvc.perform(get(DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI))
+		this.mvc.perform(get(ISSUER1_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI))
 				.andExpect(status().is2xxSuccessful())
 				.andExpectAll(defaultConfigurationMatchers())
 				.andExpect(jsonPath("$.registration_endpoint").value(ISSUER_URL.concat(this.authorizationServerSettings.getOidcClientRegistrationEndpoint())));

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilterTests.java

@@ -45,7 +45,6 @@
  */
 public class OidcProviderConfigurationEndpointFilterTests {
 	private static final String DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI = "/.well-known/openid-configuration";
-	private final OidcProviderConfigurationEndpointFilter filter = new OidcProviderConfigurationEndpointFilter();
 
 	@AfterEach
 	public void cleanup() {
@@ -54,39 +53,51 @@ public void cleanup() {
 
 	@Test
 	public void setProviderConfigurationCustomizerWhenNullThenThrowIllegalArgumentException() {
-		assertThatThrownBy(() -> this.filter.setProviderConfigurationCustomizer(null))
+		OidcProviderConfigurationEndpointFilter filter = new OidcProviderConfigurationEndpointFilter(
+				DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI);
+
+		assertThatThrownBy(() -> filter.setProviderConfigurationCustomizer(null))
 				.isInstanceOf(IllegalArgumentException.class)
 				.hasMessage("providerConfigurationCustomizer cannot be null");
 	}
 
 	@Test
 	public void doFilterWhenNotConfigurationRequestThenNotProcessed() throws Exception {
+		OidcProviderConfigurationEndpointFilter filter = new OidcProviderConfigurationEndpointFilter(
+				DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI);
+
 		String requestUri = "/path";
 		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
 		request.setServletPath(requestUri);
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain filterChain = mock(FilterChain.class);
 
-		this.filter.doFilter(request, response, filterChain);
+		filter.doFilter(request, response, filterChain);
 
 		verify(filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
 	}
 
 	@Test
 	public void doFilterWhenConfigurationRequestPostThenNotProcessed() throws Exception {
+		OidcProviderConfigurationEndpointFilter filter = new OidcProviderConfigurationEndpointFilter(
+				DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI);
+
 		String requestUri = DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI;
 		MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
 		request.setServletPath(requestUri);
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain filterChain = mock(FilterChain.class);
 
-		this.filter.doFilter(request, response, filterChain);
+		filter.doFilter(request, response, filterChain);
 
 		verify(filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
 	}
 
 	@Test
 	public void doFilterWhenConfigurationRequestThenConfigurationResponse() throws Exception {
+		OidcProviderConfigurationEndpointFilter filter = new OidcProviderConfigurationEndpointFilter(
+				"/issuer1" + DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI);
+
 		String issuer = "https://example.com/issuer1";
 		String authorizationEndpoint = "/oauth2/v1/authorize";
 		String tokenEndpoint = "/oauth2/v1/token";
@@ -108,13 +119,13 @@ public void doFilterWhenConfigurationRequestThenConfigurationResponse() throws E
 				.build();
 		AuthorizationServerContextHolder.setContext(new TestAuthorizationServerContext(authorizationServerSettings, null));
 
-		String requestUri = DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI;
+		String requestUri = "/issuer1" + DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI;
 		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
 		request.setServletPath(requestUri);
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain filterChain = mock(FilterChain.class);
 
-		this.filter.doFilter(request, response, filterChain);
+		filter.doFilter(request, response, filterChain);
 
 		verifyNoInteractions(filterChain);
 
@@ -140,6 +151,9 @@ public void doFilterWhenConfigurationRequestThenConfigurationResponse() throws E
 
 	@Test
 	public void doFilterWhenAuthorizationServerSettingsWithInvalidIssuerThenThrowIllegalArgumentException() {
+		OidcProviderConfigurationEndpointFilter filter = new OidcProviderConfigurationEndpointFilter(
+				DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI);
+
 		AuthorizationServerSettings authorizationServerSettings = AuthorizationServerSettings.builder()
 				.issuer("https://this is an invalid URL")
 				.build();
@@ -152,7 +166,7 @@ public void doFilterWhenAuthorizationServerSettingsWithInvalidIssuerThenThrowIll
 		FilterChain filterChain = mock(FilterChain.class);
 
 		assertThatIllegalArgumentException()
-				.isThrownBy(() -> this.filter.doFilter(request, response, filterChain))
+				.isThrownBy(() -> filter.doFilter(request, response, filterChain))
 				.withMessage("issuer must be a valid URL");
 	}