DefaultOAuth2AuthorizationRequestResolver should exclude queryParams in baseUrl #5520
Description
Summary
To create redirect_uri in DefaultOAuth2AuthorizationRequestResolver, queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate, the wrong type of redirect_uri may be created.
Actual Behavior
redirectUriTempate: "{baseUrl}/{action}/oauth2/code/{registrationId}"
request: http://localhost/oauth2/authorization/registration-1?foo=bar
redirect_uri: http://localhost?foo=bar/login/oauth2/code/registration-1
Expected Behavior
redirect_uri: http://localhost/login/oauth2/code/registration-1
Configuration
- The following tests fail.
@Test
public void resolveWhenAuthorizationRequestRedirectUriTemplatedThenRedirectUriExpandedExcludesQueryString() {
ClientRegistration clientRegistration = this.registration2;
String requestUri = this.authorizationRequestBaseUri + "/" + clientRegistration.getRegistrationId();
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri);
request.setQueryString("foo=bar");
OAuth2AuthorizationRequest authorizationRequest = this.resolver.resolve(request);
assertThat(authorizationRequest.getRedirectUri()).isEqualTo(
"http://localhost/login/oauth2/code/" + clientRegistration.getRegistrationId());
}Version
- commit: 779597a
- related: Add OAuth2AuthorizationRequestResolver #4911