mitreid-connect / OpenID-Connect-Java-Spring-Server

An OpenID Connect reference implementation in Java on the Spring platform.
Other
1.48k stars 765 forks source link

encrypted request object does not work #1135

Open ohmarklilly opened 8 years ago

ohmarklilly commented 8 years ago

Hi,

I'm using encrypted request objects for the authorization request. If I have only one redirect URI per client, everything works fine but if there are 2 or more redirect URIs per client, then I get the following exception:

Invalid redirect: null does not match one of the registered values: [https://localhost:8443/sample-client/openid_connect_login, https://localhost:8443/sample-client/openid_connect_register]

The root cause is the following:

The request is built fine but the server cannot process it completely successfully. The server successfully decrypts the object and creates the authorization request in org.mitre.openid.connect.request.ConnectOAuth2RequestFactory but when org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint processes the decrypted authorization request further, it fails to retrieve the redirect_uri from the request parameters in org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint::authorize at this line String redirectUriParameter = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);.

Either there is a bug in org.mitre.openid.connect.request.ConnectOAuth2RequestFactory which should set the request parameters map of the authorization request accordingly, or there is a bug in spring security (org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint) which should look at the decrypted redirectUri attribute for the redirect URI in addition.

Tested with OpenID-Connect-Java-Spring-Server 1.2.6 and current 1.3.0 snapshot.

I workaround the problem by overlaying my custom ConnectOAuthRequestFactory which adds the redirect URI to the parameters list of the created authorization request in order to allow spring oauth to find it.

I can provide the fix if you like.

Is this something that the spring oauth team should fix or will you consider to fix it?

Thanks

ohmarklilly commented 8 years ago

Updated issue because the error only occurs when 2 or more redirect URIs are configured per client.