Closed
Description
When developing locally with authorization server it is common for devs to use localhost instead of 127.0.0.1 when testing with a public client using angular I ran into an issue where the redirect_uri was rejected. I turned on tracing with
logging:
level:
org.springframework.security: trace
But got no output explaining why the uri was rejected. Visual checking of the setting in the angular client and the client registration on the auth server side seemed to match redirect uri is set to http://localhost:4200. After tracing into the auth server I found the root cause in
Relevant code below
if (requestedRedirectHost == null || requestedRedirectHost.equals("localhost")) {
// As per https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-9.7.1
// While redirect URIs using localhost (i.e.,
// "http://localhost:{port}/{path}") function similarly to loopback IP
// redirects described in Section 10.3.3, the use of "localhost" is NOT RECOMMENDED.
return false;
}
The AuthServer should provide a more informative error message saying that the localhost is not allowed to be used as a redirect uri value. I think there are three possible enhancements:
- Add tracing code to the validate uri function
- Change the return type of the function so that it returns a boolean and a reason why the validation failed, this way the thrown exception can include an explanation of why this validation failed which will show up on the generated error page.
- implement both 1 and 2