Enhance validation for configured issuer

NotFound403 · jgrandja · commit d0bb94b88743 · 2022-05-06T08:17:32.000-04:00
Closes gh-649
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java
@@ -427,11 +427,17 @@ private void initEndpointMatchers(ProviderSettings providerSettings) {
 
 	private static void validateProviderSettings(ProviderSettings providerSettings) {
 		if (providerSettings.getIssuer() != null) {
+			URI issuerUri;
 			try {
-				new URI(providerSettings.getIssuer()).toURL();
+				issuerUri = new URI(providerSettings.getIssuer());
+				issuerUri.toURL();
 			} catch (Exception ex) {
 				throw new IllegalArgumentException("issuer must be a valid URL", ex);
 			}
+			// rfc8414 https://datatracker.ietf.org/doc/html/rfc8414#section-2
+			if (issuerUri.getQuery() != null || issuerUri.getFragment() != null) {
+				throw new IllegalArgumentException("issuer cannot contain query or fragment component");
+			}
 		}
 	}
 
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java
@@ -210,6 +210,41 @@ public void loadContextWhenIssuerNotValidUriThenThrowException() {
 		);
 	}
 
+	@Test
+	public void loadContextWhenIssuerWithQueryThenThrowException() {
+		assertThatThrownBy(
+				() -> this.spring.register(AuthorizationServerConfigurationWithInvalidQueryIssuerUrl.class).autowire()
+		);
+	}
+
+	@Test
+	public void loadContextWhenIssuerWithFragmentThenThrowException() {
+		assertThatThrownBy(
+				() -> this.spring.register(AuthorizationServerConfigurationWithInvalidFragmentIssuerUrl.class).autowire()
+		);
+	}
+
+	@Test
+	public void loadContextWhenIssuerWithQueryAndFragmentThenThrowException() {
+		assertThatThrownBy(
+				() -> this.spring.register(AuthorizationServerConfigurationWithInvalidQueryAndFragmentIssuerUrl.class).autowire()
+		);
+	}
+
+	@Test
+	public void loadContextWhenIssuerEndWithQuestionMarkCharacterThenThrowException() {
+		assertThatThrownBy(
+				() -> this.spring.register(AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithQuestionMarkCharacter.class).autowire()
+		);
+	}
+
+	@Test
+	public void loadContextWhenIssuerEndWithNumberSignCharacterThenThrowException() {
+		assertThatThrownBy(
+				() -> this.spring.register(AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithNumberSignCharacter.class).autowire()
+		);
+	}
+
 	@Test
 	public void requestWhenAuthenticationRequestThenTokenResponseIncludesIdToken() throws Exception {
 		this.spring.register(AuthorizationServerConfiguration.class).autowire();
@@ -459,4 +494,54 @@ ProviderSettings providerSettings() {
 		}
 	}
 
+	@EnableWebSecurity
+	@Import(OAuth2AuthorizationServerConfiguration.class)
+	static class AuthorizationServerConfigurationWithInvalidQueryIssuerUrl extends AuthorizationServerConfiguration {
+
+		@Bean
+		ProviderSettings providerSettings() {
+			return ProviderSettings.builder().issuer("https://localhost:9000?something=any").build();
+		}
+	}
+
+	@EnableWebSecurity
+	@Import(OAuth2AuthorizationServerConfiguration.class)
+	static class AuthorizationServerConfigurationWithInvalidFragmentIssuerUrl extends AuthorizationServerConfiguration {
+
+		@Bean
+		ProviderSettings providerSettings() {
+			return ProviderSettings.builder().issuer("https://localhost:9000#fragment").build();
+		}
+	}
+
+	@EnableWebSecurity
+	@Import(OAuth2AuthorizationServerConfiguration.class)
+	static class AuthorizationServerConfigurationWithInvalidQueryAndFragmentIssuerUrl extends AuthorizationServerConfiguration {
+
+		@Bean
+		ProviderSettings providerSettings() {
+			return ProviderSettings.builder().issuer("https://localhost:9000?something=any#fragment").build();
+		}
+	}
+
+	@EnableWebSecurity
+	@Import(OAuth2AuthorizationServerConfiguration.class)
+	static class AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithQuestionMarkCharacter extends AuthorizationServerConfiguration {
+
+		@Bean
+		ProviderSettings providerSettings() {
+			return ProviderSettings.builder().issuer("https://localhost:9000?").build();
+		}
+	}
+
+	@EnableWebSecurity
+	@Import(OAuth2AuthorizationServerConfiguration.class)
+	static class AuthorizationServerConfigurationWithInvalidIssuerUrlEndWithNumberSignCharacter extends AuthorizationServerConfiguration {
+
+		@Bean
+		ProviderSettings providerSettings() {
+			return ProviderSettings.builder().issuer("https://localhost:9000/#").build();
+		}
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -427,11 +427,17 @@ private void initEndpointMatchers(ProviderSettings providerSettings) {`
`427`	`427`
`428`	`428`	`private static void validateProviderSettings(ProviderSettings providerSettings) {`
`429`	`429`	`if (providerSettings.getIssuer() != null) {`
	`430`	`+ URI issuerUri;`
`430`	`431`	`try {`
`431`		`- new URI(providerSettings.getIssuer()).toURL();`
	`432`	`+ issuerUri = new URI(providerSettings.getIssuer());`
	`433`	`+ issuerUri.toURL();`
`432`	`434`	`} catch (Exception ex) {`
`433`	`435`	`throw new IllegalArgumentException("issuer must be a valid URL", ex);`
`434`	`436`	`}`
	`437`	`+ // rfc8414 https://datatracker.ietf.org/doc/html/rfc8414#section-2`
	`438`	`+ if (issuerUri.getQuery() != null \|\| issuerUri.getFragment() != null) {`
	`439`	`+ throw new IllegalArgumentException("issuer cannot contain query or fragment component");`
	`440`	`+ }`
`435`	`441`	`}`
`436`	`442`	`}`
`437`	`443`