Authorization Response should also match on query parameters

[ttddyy]

This is about OAuth2 Authorization Code Grant flow.

When a service is registered with redirect_uri that has query parameter (e.g: http://some/auth?param=foo), current OAuth2AuthorizationCodeGrantFilter doesn't work well.

This is because OAuth2AuthorizationCodeGrantFilter#shouldProcessAuthorizationResponse compares registered redirect_uri (AuthRequest: http://some/auth?param=foo) against the redirected request URI without query parameters. (AuthResponse: http://some/auth)

This patch updates the redirect_uri comparison not only checking base uri but also checks query params in the registered redirect_uri whether they are all included in the authorization response's query parameters.

Also, in the patch, it now retrieves final redirect_uri from authorizationRequest since authorizationResponse.getRedirectUri() does not have query parameters.
This might be debatable and also may change based on #7324.

[jgrandja]

Thanks for the PR @ttddyy. Please see my comments.

[jgrandja]

Can you please remove this and keep the changes contained in OAuth2AuthorizationResponseUtils and OAuth2AuthorizationCodeGrantFilter, as well as the Reactive counterparts. I would like to get this into a patch release.

NOTE: In processAuthorizationResponse(), I believe you can build the redirect-uri for OAuth2AuthorizationResponse as follows:

		MultiValueMap<String, String> params = OAuth2AuthorizationResponseUtils.toMultiMap(request.getParameterMap());
		String redirectUri = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
				.replaceQueryParam(OAuth2ParameterNames.CODE, (Object) null)
				.replaceQueryParam(OAuth2ParameterNames.STATE, (Object) null)
				.build()
				.toUriString();
		OAuth2AuthorizationResponse authorizationResponse = OAuth2AuthorizationResponseUtils.convert(params, redirectUri);

[ttddyy]

The OAuth2AuthorizationResponseUtils is package scoped to org.springframework.security.oauth2.client.web, so cannot reference from provider/validator(org.springframework.security.oauth2.client.authentication).

So, ok to make it public??

[jgrandja]

OAuth2AuthorizationExchangeValidator does not need to change. What I was suggesting previously is to add the following to OAuth2AuthorizationResponseUtils:

static OAuth2AuthorizationResponse convert(HttpServletRequest request) {
	MultiValueMap<String, String> params = toMultiMap(request.getParameterMap());
	MultiValueMap<String, String> redirectParams = new LinkedMultiValueMap<>(params);
	redirectParams.remove(OAuth2ParameterNames.CODE);
	redirectParams.remove(OAuth2ParameterNames.STATE);
	String redirectUri = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
			.replaceQueryParams(redirectParams)
			.build()
			.toUriString();
	return convert(params, redirectUri);
}

This utility method can than be used in shouldProcessAuthorizationResponse and processAuthorizationResponse. This will contain the changes only in OAuth2AuthorizationCodeGrantFilter.

[ttddyy]

ok, but I think there is a problem when multiple parameters are presented.

For example, following should match:

• http://localhost/auth?foo=FOO&bar=BAR
• http://localhost/auth?bar=BAR&foo=FOO

If it does simple string match of redirect_uri in OAuth2AuthorizationExchangeValidator, they are considered as different.

[jgrandja]

I'm not sure if this is an issue. I'm expecting the provider to perform the redirect using the registered redirect-uri as-is so it should be the same order as specified in ClientRegistration.redirect-uri.

[jgrandja]

I just tested with Okta and it's performing an exact match.

The registered redirect-uri is http://locahost:8080/authorized/okta2?param1=value1&param2=value2.

If I trigger the Authorization Request using the redirect-uri http://locahost:8080/authorized/okta2?param2=value2&param1=value1 it fails.

[jgrandja]

This is not needed. Please see previous comment on how to build the OAuth2AuthorizationResponse.redirectUri with query parameters.

[ttddyy]

I have updated the PR

• just kept the OAuth2AuthorizationExchangeUtils as is due to utility class scope
• removed parameters from OAuth2AuthorizationResponse
• updated the way to get redirectUri from http request in OAuth2AuthorizationCodeGrantFilter
• put back to use authorizationResponse to get redirectUrl

[ttddyy]

Updated the PR.

Now, simply it checks the redirected url by removing code and state parameters.

Limitations would be:

• the redirected url parameters need to be exactly same order in OAuth2AuthorizationRequest#redirectUri
• Also, after successful authentication, the authorization server cannot add any additional parameters to the redirecting url (in order for exact match)

[jgrandja]

@ttddyy Thank you for the updates. Please see my comment for additional changes.

[jgrandja]

@ttddyy After reviewing the spec:

The redirection endpoint URI MUST be an absolute URI as defined by
[RFC3986] Section 4.3. The endpoint URI MAY include an
"application/x-www-form-urlencoded" formatted (per Appendix B) query
component ([RFC3986] Section 3.4), which MUST be retained when adding
additional query parameters. The endpoint URI MUST NOT include a
fragment component.

NOTE the bold highlight. As per spec, the Authorization Server will ADD additional query parameters to the redirect-uri. This means that the query parameters in the redirect_uri (if any) should be in the correct order. Also, in addition to code and state, the Authorization Server may add additional query parameters. I've tested this with google and additional parameters are added on top of code and state. Can you please add a test for this scenario and adjust the code for this.

[ttddyy]

@jgrandja
Updated the logic to handle additional params from auth server.
For test, added a case to simulate additional parameter added by authorization server.
Also, rebased to the latest master.

[jgrandja]

If the authorization server adds additional parameters to the authorization response, than the OAuth2AuthorizationResponse.redirectUri will contain the additional parameters and result in a failed validation check in OAuth2AuthorizationCodeAuthenticationProvider and the call to OAuth2AuthorizationExchangeValidator.validate() when it compares the redirectUri between the authorization request and response. This revealed that we need an integration test for this scenario. Can you please add an integration test and fix so it passes. Take a look at OAuth2LoginTests or OAuth2LoginConfigurerTests for an example for the integration test.

[ttddyy]

ah, true.
So, now the question is how you want to share the validation logic.
My original PR introduced OAuth2AuthorizationExchangeUtils class to share the validation logic between OAuth2AuthorizationCodeGrantFilter and OAuth2AuthorizationExchangeValidator. (also OidcAuthorizationCodeAuthenticationProvider). (link bit outdated)

This is because OAuth2AuthorizationResponseUtils seems good place to put the validation logic but it is package scoped class.
Since ~CodeGrantFilter and ~ExchangeValidator are in different package, we need a way to share this validation logic. So, if you don't oppose, I'm going to put back OAuth2AuthorizationExchangeUtils to share the redirect url validation logic.

[jgrandja]

So, now the question is how you want to share the validation logic.
My original PR introduced OAuth2AuthorizationExchangeUtils class to share the validation logic between OAuth2AuthorizationCodeGrantFilter and OAuth2AuthorizationExchangeValidator

We do not want to share the logic between OAuth2AuthorizationCodeGrantFilter and OAuth2AuthorizationExchangeValidator. Reason being is that OAuth2AuthorizationCodeGrantFilter is in the web sub-package and the OAuth2AuthorizationExchangeValidator is in the authentication sub-package, which is NOT a web component.

The validation check in OAuth2AuthorizationExchangeValidator can simply be changed to:

if (!authorizationResponse.getRedirectUri().startsWith(authorizationRequest.getRedirectUri()))

It's safe to use startsWith, since we know that any additional query parameters will be appended to the registered redirect-uri

The redirection endpoint URI MUST be an absolute URI as defined by
[RFC3986] Section 4.3. The endpoint URI MAY include an
"application/x-www-form-urlencoded" formatted (per Appendix B) query
component ([RFC3986] Section 3.4), which MUST be retained when adding
additional query parameters. The endpoint URI MUST NOT include a
fragment component.

[jgrandja]

@ttddyy This can be simplified as follows:

		String requestUrl = UrlUtils.buildFullRequestUrl(request);
		MultiValueMap<String, String> params = OAuth2AuthorizationResponseUtils.toMultiMap(request.getParameterMap());
		if (requestUrl.startsWith(authorizationRequest.getRedirectUri()) &&
				OAuth2AuthorizationResponseUtils.isAuthorizationResponse(params)) {
			return true;
		}

[ttddyy]

@jgrandja
There is a problem with startWith() check which is caught by existing test.

Let's say here is changed to use startWith() as below:

String requestUrl = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
    .replaceQueryParam(OAuth2ParameterNames.CODE)
    .replaceQueryParam(OAuth2ParameterNames.STATE)
    .build()
    .toUriString();
MultiValueMap<String, String> params = OAuth2AuthorizationResponseUtils.toMultiMap(request.getParameterMap());

if (requestUrl.startsWith(authorizationRequest.getRedirectUri()) &&
    OAuth2AuthorizationResponseUtils.isAuthorizationResponse(params)) {
    return true;
}
return false;

This logic matches when:

• requestUrl = http://localhost/callback/client-1-no-match
• authorizationRequest.getRedirectUri() = http://localhost/callback/client-1

Thus, simple startWith() check doesn't work.

So, if we don't want to share the code between filter and validator:

• put same logic in both place
• or, maybe perform through check(isValidRedirectUrl) in filter, but simply only do startWith() check in validator

[jgrandja]

@ttddyy Yes, you are right, there is a problem with using startsWith(). Instead we should perform exact matching on all parts of the URI, with the exception of the query parameters since there may be additional parameters sent in the authorization response.

In the shouldProcessAuthorizationResponse() method, can you make use of UriComponentsBuilder for both the request (authorization response) and authorizationRequest.getRedirectUri() and perform exact matching on each part, eg. scheme, userInfo, host, port, path. The query parameters (if any) in the authorizationRequest.getRedirectUri() should exist in the same order in request (authorization response).

On a side note, the validation logic for redirect-uri in OAuth2AuthorizationExchangeValidator is redundant. The matching happens in shouldProcessAuthorizationResponse() so we don't need to double validate in OAuth2AuthorizationExchangeValidator. Please remove the existing validation which will simply things.

[ttddyy]

Updated the PR adding an integration test, OAuth2AuthorizationCodeGrantRedirectTests.
Currently some of the tests are failing as expected since the validation logic is not yet updated.
Once we solve the validation logic issue, I'll update the PR.

[jgrandja]

@ttddyy Apologies for the delayed response. Please see my additional comments.

[jgrandja]

Please move to same package as org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurerTests

[jgrandja]

Please move the configuration to bottom of class.

[jgrandja]

@ttddyy Yes, you are right, there is a problem with using startsWith(). Instead we should perform exact matching on all parts of the URI, with the exception of the query parameters since there may be additional parameters sent in the authorization response.

In the shouldProcessAuthorizationResponse() method, can you make use of UriComponentsBuilder for both the request (authorization response) and authorizationRequest.getRedirectUri() and perform exact matching on each part, eg. scheme, userInfo, host, port, path. The query parameters (if any) in the authorizationRequest.getRedirectUri() should exist in the same order in request (authorization response).

On a side note, the validation logic for redirect-uri in OAuth2AuthorizationExchangeValidator is redundant. The matching happens in shouldProcessAuthorizationResponse() so we don't need to double validate in OAuth2AuthorizationExchangeValidator. Please remove the existing validation which will simply things.

[jgrandja]

@ttddyy

the validation logic for redirect-uri in OAuth2AuthorizationExchangeValidator is redundant. The matching happens in shouldProcessAuthorizationResponse() so we don't need to double validate in OAuth2AuthorizationExchangeValidator.

I removed the redundant validation in #7708 to help with this PR.

[ttddyy]

I removed the redundant validation in #7708 to help with this PR.

Thanks, will work on this ticket early next week with rebasing to the latest.

[ttddyy]

@jgrandja
Hi, the PR has updated. Can you check.
Thanks,

[jgrandja]

@ttddyy Thank you for the updates. After reviewing, I still feel the logic can be simplified and the code can be reduced further. Our ultimate goal with PR's is to introduce the minimal amount of code required to either fix a bug or introduce a new feature. The main reason is because the more code we add the more we need to maintain. It is definitely a challenging task but it is important.

Having said that, I decided to go ahead and apply the fix myself in this commit 3c86239. Thank you for your understanding.