trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

providers/oauth2: fix redirect_uri being lowercased on successful validation 

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-02-14 23:04:00 +01:00
parent c7ed4f7ac1
commit 0973c74b9d
2 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
authentik/providers/oauth2/tests/test_authorize.py
View File

@ -43,7 +43,7 @@ class TestAuthorize(OAuthTestCase):
name="test", name="test",
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris="http://local.invalid/Foo",
) )
with self.assertRaises(AuthorizeError): with self.assertRaises(AuthorizeError):
request = self.factory.get( request = self.factory.get(
@ -51,7 +51,7 @@ class TestAuthorize(OAuthTestCase):
data={ data={
"response_type": "code", "response_type": "code",
"client_id": "test", "client_id": "test",
"redirect_uri": "http://local.invalid", "redirect_uri": "http://local.invalid/Foo",
"request": "foo", "request": "foo",
}, },
) )
@ -105,26 +105,30 @@ class TestAuthorize(OAuthTestCase):
name="test", name="test",
client_id="test", client_id="test",
authorization_flow=create_test_flow(), authorization_flow=create_test_flow(),
redirect_uris="http://local.invalid", redirect_uris="http://local.invalid/Foo",
) )
request = self.factory.get( request = self.factory.get(
"/", "/",
data={ data={
"response_type": "code", "response_type": "code",
"client_id": "test", "client_id": "test",
"redirect_uri": "http://local.invalid", "redirect_uri": "http://local.invalid/Foo",
}, },
) )
self.assertEqual( self.assertEqual(
OAuthAuthorizationParams.from_request(request).grant_type, OAuthAuthorizationParams.from_request(request).grant_type,
GrantTypes.AUTHORIZATION_CODE, GrantTypes.AUTHORIZATION_CODE,
) )
self.assertEqual(
OAuthAuthorizationParams.from_request(request).redirect_uri,
"http://local.invalid/Foo",
)
request = self.factory.get( request = self.factory.get(
"/", "/",
data={ data={
"response_type": "id_token", "response_type": "id_token",
"client_id": "test", "client_id": "test",
"redirect_uri": "http://local.invalid", "redirect_uri": "http://local.invalid/Foo",
"scope": "openid", "scope": "openid",
"state": "foo", "state": "foo",
}, },
@ -140,7 +144,7 @@ class TestAuthorize(OAuthTestCase):
data={ data={
"response_type": "id_token", "response_type": "id_token",
"client_id": "test", "client_id": "test",
"redirect_uri": "http://local.invalid", "redirect_uri": "http://local.invalid/Foo",
"state": "foo", "state": "foo",
}, },
) )
@ -153,7 +157,7 @@ class TestAuthorize(OAuthTestCase):
data={ data={
"response_type": "code token", "response_type": "code token",
"client_id": "test", "client_id": "test",
"redirect_uri": "http://local.invalid", "redirect_uri": "http://local.invalid/Foo",
"scope": "openid", "scope": "openid",
"state": "foo", "state": "foo",
}, },
@ -167,7 +171,7 @@ class TestAuthorize(OAuthTestCase):
data={ data={
"response_type": "invalid", "response_type": "invalid",
"client_id": "test", "client_id": "test",
"redirect_uri": "http://local.invalid", "redirect_uri": "http://local.invalid/Foo",
}, },
) )
OAuthAuthorizationParams.from_request(request) OAuthAuthorizationParams.from_request(request)

9
authentik/providers/oauth2/views/authorize.py
View File

@ -100,7 +100,7 @@ class OAuthAuthorizationParams:
# and POST request. # and POST request.
query_dict = request.POST if request.method == "POST" else request.GET query_dict = request.POST if request.method == "POST" else request.GET
state = query_dict.get("state") state = query_dict.get("state")
redirect_uri = query_dict.get("redirect_uri", "").lower() redirect_uri = query_dict.get("redirect_uri", "")
response_type = query_dict.get("response_type", "") response_type = query_dict.get("response_type", "")
grant_type = None grant_type = None
@ -154,7 +154,10 @@ class OAuthAuthorizationParams:
def check_redirect_uri(self): def check_redirect_uri(self):
"""Redirect URI validation.""" """Redirect URI validation."""
allowed_redirect_urls = self.provider.redirect_uris.split() allowed_redirect_urls = self.provider.redirect_uris.split()
if not self.redirect_uri: # We don't want to actually lowercase the final URL we redirect to,
# we only lowercase it for comparsion
redirect_uri = self.redirect_uri.lower()
if not redirect_uri:
LOGGER.warning("Missing redirect uri.") LOGGER.warning("Missing redirect uri.")
raise RedirectUriError("", allowed_redirect_urls) raise RedirectUriError("", allowed_redirect_urls)
@ -170,7 +173,7 @@ class OAuthAuthorizationParams:
allow=self.redirect_uri, allow=self.redirect_uri,
) )
return return
if self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]: if redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
LOGGER.warning( LOGGER.warning(
"Invalid redirect uri", "Invalid redirect uri",
redirect_uri=self.redirect_uri, redirect_uri=self.redirect_uri,