Skip to content

Improve error message when redirect_uri contains localhost #680

Closed
@asaikali

Description

@asaikali

When developing locally with authorization server it is common for devs to use localhost instead of 127.0.0.1 when testing with a public client using angular I ran into an issue where the redirect_uri was rejected. I turned on tracing with

logging:
  level:
    org.springframework.security: trace

But got no output explaining why the uri was rejected. Visual checking of the setting in the angular client and the client registration on the auth server side seemed to match redirect uri is set to http://localhost:4200. After tracing into the auth server I found the root cause in

Relevant code below

	if (requestedRedirectHost == null || requestedRedirectHost.equals("localhost")) {
			// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7.1
			// While redirect URIs using localhost (i.e.,
			// "http://localhost:{port}/{path}") function similarly to loopback IP
			// redirects described in Section 10.3.3, the use of "localhost" is NOT RECOMMENDED.
			return false;
		}

The AuthServer should provide a more informative error message saying that the localhost is not allowed to be used as a redirect uri value. I think there are three possible enhancements:

  1. Add tracing code to the validate uri function
  2. Change the return type of the function so that it returns a boolean and a reason why the validation failed, this way the thrown exception can include an explanation of why this validation failed which will show up on the generated error page.
  3. implement both 1 and 2

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions