I'm using encrypted request objects for the authorization request. If I have only one redirect URI per client, everything works fine but if there are 2 or more redirect URIs per client, then I get the following exception:
Invalid redirect: null does not match one of the registered values: [https://localhost:8443/sample-client/openid_connect_login, https://localhost:8443/sample-client/openid_connect_register]
The root cause is the following:
The request is built fine but the server cannot process it completely successfully. The server successfully decrypts the object and creates the authorization request in org.mitre.openid.connect.request.ConnectOAuth2RequestFactory but when org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint processes the decrypted authorization request further, it fails to retrieve the redirect_uri from the request parameters in
org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint::authorize at this line String redirectUriParameter = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);.
Either there is a bug in
org.mitre.openid.connect.request.ConnectOAuth2RequestFactory which should set the request parameters map of the authorization request accordingly,
or there is a bug in spring security (org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint) which should look at the decrypted redirectUri attribute for the redirect URI in addition.
Tested with OpenID-Connect-Java-Spring-Server 1.2.6 and current 1.3.0 snapshot.
I workaround the problem by overlaying my custom ConnectOAuthRequestFactory which adds the redirect URI to the parameters list of the created authorization request in order to allow spring oauth to find it.
I can provide the fix if you like.
Is this something that the spring oauth team should fix or will you consider to fix it?
Hi,
I'm using encrypted request objects for the authorization request. If I have only one redirect URI per client, everything works fine but if there are 2 or more redirect URIs per client, then I get the following exception:
Invalid redirect: null does not match one of the registered values: [https://localhost:8443/sample-client/openid_connect_login, https://localhost:8443/sample-client/openid_connect_register]
The root cause is the following:
The request is built fine but the server cannot process it completely successfully. The server successfully decrypts the object and creates the authorization request in
org.mitre.openid.connect.request.ConnectOAuth2RequestFactory
but whenorg.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint
processes the decrypted authorization request further, it fails to retrieve theredirect_uri
from the request parameters inorg.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint::authorize
at this lineString redirectUriParameter = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);
.Either there is a bug in
org.mitre.openid.connect.request.ConnectOAuth2RequestFactory
which should set the request parameters map of the authorization request accordingly, or there is a bug in spring security (org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint
) which should look at the decryptedredirectUri
attribute for the redirect URI in addition.Tested with OpenID-Connect-Java-Spring-Server 1.2.6 and current 1.3.0 snapshot.
I workaround the problem by overlaying my custom ConnectOAuthRequestFactory which adds the redirect URI to the parameters list of the created authorization request in order to allow spring oauth to find it.
I can provide the fix if you like.
Is this something that the spring oauth team should fix or will you consider to fix it?
Thanks