From 0973c74b9d68afc7d82be4e8e28dd8800b0a49d9 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 14 Feb 2022 23:04:00 +0100 Subject: [PATCH] providers/oauth2: fix redirect_uri being lowercased on successful validation Signed-off-by: Jens Langhammer --- .../providers/oauth2/tests/test_authorize.py | 20 +++++++++++-------- authentik/providers/oauth2/views/authorize.py | 9 ++++++--- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/authentik/providers/oauth2/tests/test_authorize.py b/authentik/providers/oauth2/tests/test_authorize.py index 660b90a79..a80ba4adc 100644 --- a/authentik/providers/oauth2/tests/test_authorize.py +++ b/authentik/providers/oauth2/tests/test_authorize.py @@ -43,7 +43,7 @@ class TestAuthorize(OAuthTestCase): name="test", client_id="test", authorization_flow=create_test_flow(), - redirect_uris="http://local.invalid", + redirect_uris="http://local.invalid/Foo", ) with self.assertRaises(AuthorizeError): request = self.factory.get( @@ -51,7 +51,7 @@ class TestAuthorize(OAuthTestCase): data={ "response_type": "code", "client_id": "test", - "redirect_uri": "http://local.invalid", + "redirect_uri": "http://local.invalid/Foo", "request": "foo", }, ) @@ -105,26 +105,30 @@ class TestAuthorize(OAuthTestCase): name="test", client_id="test", authorization_flow=create_test_flow(), - redirect_uris="http://local.invalid", + redirect_uris="http://local.invalid/Foo", ) request = self.factory.get( "/", data={ "response_type": "code", "client_id": "test", - "redirect_uri": "http://local.invalid", + "redirect_uri": "http://local.invalid/Foo", }, ) self.assertEqual( OAuthAuthorizationParams.from_request(request).grant_type, GrantTypes.AUTHORIZATION_CODE, ) + self.assertEqual( + OAuthAuthorizationParams.from_request(request).redirect_uri, + "http://local.invalid/Foo", + ) request = self.factory.get( "/", data={ "response_type": "id_token", "client_id": "test", - "redirect_uri": "http://local.invalid", + "redirect_uri": "http://local.invalid/Foo", "scope": "openid", "state": "foo", }, @@ -140,7 +144,7 @@ class TestAuthorize(OAuthTestCase): data={ "response_type": "id_token", "client_id": "test", - "redirect_uri": "http://local.invalid", + "redirect_uri": "http://local.invalid/Foo", "state": "foo", }, ) @@ -153,7 +157,7 @@ class TestAuthorize(OAuthTestCase): data={ "response_type": "code token", "client_id": "test", - "redirect_uri": "http://local.invalid", + "redirect_uri": "http://local.invalid/Foo", "scope": "openid", "state": "foo", }, @@ -167,7 +171,7 @@ class TestAuthorize(OAuthTestCase): data={ "response_type": "invalid", "client_id": "test", - "redirect_uri": "http://local.invalid", + "redirect_uri": "http://local.invalid/Foo", }, ) OAuthAuthorizationParams.from_request(request) diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index acd038697..0ad3e624a 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -100,7 +100,7 @@ class OAuthAuthorizationParams: # and POST request. query_dict = request.POST if request.method == "POST" else request.GET state = query_dict.get("state") - redirect_uri = query_dict.get("redirect_uri", "").lower() + redirect_uri = query_dict.get("redirect_uri", "") response_type = query_dict.get("response_type", "") grant_type = None @@ -154,7 +154,10 @@ class OAuthAuthorizationParams: def check_redirect_uri(self): """Redirect URI validation.""" allowed_redirect_urls = self.provider.redirect_uris.split() - if not self.redirect_uri: + # We don't want to actually lowercase the final URL we redirect to, + # we only lowercase it for comparsion + redirect_uri = self.redirect_uri.lower() + if not redirect_uri: LOGGER.warning("Missing redirect uri.") raise RedirectUriError("", allowed_redirect_urls) @@ -170,7 +173,7 @@ class OAuthAuthorizationParams: allow=self.redirect_uri, ) return - if self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]: + if redirect_uri not in [x.lower() for x in allowed_redirect_urls]: LOGGER.warning( "Invalid redirect uri", redirect_uri=self.redirect_uri,