Skip to content

Improve error message when redirect_uri contains localhost #680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
asaikali opened this issue Apr 8, 2022 · 3 comments
Closed

Improve error message when redirect_uri contains localhost #680

asaikali opened this issue Apr 8, 2022 · 3 comments
Assignees
@jgrandja
Labels
type: enhancement A general enhancement
Milestone
0.3.1

Comments

@asaikali
Copy link

asaikali commented Apr 8, 2022

When developing locally with authorization server it is common for devs to use localhost instead of 127.0.0.1 when testing with a public client using angular I ran into an issue where the redirect_uri was rejected. I turned on tracing with

logging:
  level:
    org.springframework.security: trace

But got no output explaining why the uri was rejected. Visual checking of the setting in the angular client and the client registration on the auth server side seemed to match redirect uri is set to http://localhost:4200. After tracing into the auth server I found the root cause in

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java

Line 523 in 718b86c

if (requestedRedirectHost == null || requestedRedirectHost.equals("localhost")) {

Relevant code below

	if (requestedRedirectHost == null || requestedRedirectHost.equals("localhost")) {
			// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7.1
			// While redirect URIs using localhost (i.e.,
			// "http://localhost:{port}/{path}") function similarly to loopback IP
			// redirects described in Section 10.3.3, the use of "localhost" is NOT RECOMMENDED.
			return false;
		}

The AuthServer should provide a more informative error message saying that the localhost is not allowed to be used as a redirect uri value. I think there are three possible enhancements:

  1. Add tracing code to the validate uri function

    spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java

    Line 511 in 718b86c

    private static boolean isValidRedirectUri(String requestedRedirectUri, RegisteredClient registeredClient) {
  2. Change the return type of the function

    spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java

    Line 511 in 718b86c

    private static boolean isValidRedirectUri(String requestedRedirectUri, RegisteredClient registeredClient) {
    so that it returns a boolean and a reason why the validation failed, this way the thrown exception can include an explanation of why this validation failed which will show up on the generated error page.
  3. implement both 1 and 2
@asaikali asaikali added the type: enhancement A general enhancement label Apr 8, 2022
@asaikali asaikali changed the title adding tracing to explain why a redirect_uri rejected adding tracing to explain why a redirect_uri is found to be invalid Apr 8, 2022
@jgrandja jgrandja changed the title adding tracing to explain why a redirect_uri is found to be invalid Improve error message when redirect_uri contains localhost Apr 27, 2022
@jgrandja
Copy link
Collaborator

Thanks for the details @asaikali. We'll look at improving this.

@jgrandja jgrandja mentioned this issue Apr 27, 2022
Closed
@jgrandja jgrandja self-assigned this Jun 16, 2022
@jgrandja jgrandja added this to the 0.3.1 milestone Jun 16, 2022
@jgrandja
Copy link
Collaborator

jgrandja commented Jun 16, 2022
edited
Loading

@asaikali The error message in the generated error page has been enhanced with the following detail:

localhost is not allowed for the redirect_uri (http://localhost:8080/authorized). Use the IP literal (127.0.0.1) instead.

@Partyschaum Partyschaum mentioned this issue Jun 16, 2022
Open
@asaikali
Copy link
Author

thanks, that loots great.

@marcusdacoregio marcusdacoregio mentioned this issue Jul 20, 2022
Closed
doba16 pushed a commit to doba16/spring-authorization-server that referenced this issue Apr 21, 2023
@jgrandja
Describe error message when redirect_uri contains localhost
0bf4adb 
Closes spring-projectsgh-680
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
0.3.1
Development

No branches or pull requests
2 participants
@asaikali @jgrandja