Fix verification_uri in device authorization response when context path exists #1729
Conversation
…n response when context path exists
The query part of the request URI was copied to the verification URI - which is - in my opinion - not the expected behaviour. According to https://datatracker.ietf.org/doc/html/rfc8628#section-3.1 "Parameters sent without a value MUST be treated as if they were omitted from the request. The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than once." Passing through the request parameters is - IMHO - a different behaviour than ignoring them.
spring-projects-issues
added
the
status: waiting-for-triage
jgrandja
added
type: bug
| // Generate the fully-qualified verification URI | ||
| UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder | ||
| .fromHttpUrl(UrlUtils.buildFullRequestUrl(request)) | ||
| .replacePath(this.verificationUri); | ||
| .replacePath(UrlPathHelper.defaultInstance.getContextPath(request)) |
There was a problem hiding this comment.
Instead of using UrlPathHelper, please create an internal method resolveVerificationUri(), that looks like:
then it can be used UriComponentsBuilder.fromUriString(resolveVerificationUri(request)). This will provide consistency between the 3x implementations (OAuth2AuthorizationEndpointFilter is implemented the same).
There was a problem hiding this comment.
I created - as requested - an internal method and added a test.
I used doFilterWhenDeviceAuthorizationRequestThenDeviceAuthorizationResponse as a base for my test. I am not sure whether the method name fits the project conventions for test method names and I am unsure about keeping all assertions of doFilterWhenDeviceAuthorizationRequestThenDeviceAuthorizationResponse or just using a reduced set of assertions.
jgrandja
changed the title
|
Thanks for the updates @sfeigl ! FYI, I added some minor polish to the test. This is now merged. |
This fixes
#1714: Invalid verification_uri in device authorization response when context path exists
Before this change the reported verification URI was built by completely replacing the path of the incoming device authorization request. If the application is not running under the root path (/) this lead to an incorrect verification URI. After the change the verification URI is built relative to the context path of the application.
Additionally it clears the query part of the URI. The current code passes the query parameters used to do the device authorization query to the verification URI. IMHO that is not expected / intended behaviour.
According to https://datatracker.ietf.org/doc/html/rfc8628#section-3.1
"Parameters sent without a value MUST be treated as if they were omitted from the request. The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than once."
Passing through is not "ignoring"
The pull request should be mergeable in main and 1.3.x
Did some quick tests with:
Seems to look ok for me
Fixes gh-1714