As a Galasa maintainer, I want to validate that the OpenID Connect endpoints returned by Dex are on the Galasa Dex server and that auth request payloads are valid, so that requests are not sent to malicious URLs.
Background
Vulnerability scans have highlighted some areas that do not validate the OpenID Connect endpoints returned by Dex in the OidcProvider class and that auth request payloads also aren't being validated.
These should be resolved by validating that the returned endpoints are valid URLs and are served on the Galasa Dex server.
Tasks
[x] Add validation to the OidcProvider when setting the authorization, tokens, and jwks endpoints
[x] Add validation to the request payloads in POST auth requests
[x] Check that the vulnerabilities have been resolved
Story
As a Galasa maintainer, I want to validate that the OpenID Connect endpoints returned by Dex are on the Galasa Dex server and that auth request payloads are valid, so that requests are not sent to malicious URLs.
Background
Vulnerability scans have highlighted some areas that do not validate the OpenID Connect endpoints returned by Dex in the
OidcProvider
class and that auth request payloads also aren't being validated.These should be resolved by validating that the returned endpoints are valid URLs and are served on the Galasa Dex server.
Tasks
OidcProvider
when setting the authorization, tokens, and jwks endpoints