Closed erev0s closed 5 years ago
Take a look into the BlacklistAwareRedirectResolver openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java which extends the Spring DefaultRedirectResolver.
The RedirectResolver is used in the AuthorizationRequestFilter to verify the Authorization Request.
@jansinger thank you for the reply. I checked the BlacklistAwareRedirectResolver
but as i saw it is only used for test cases. Please correct me if i am mistaken.
As I said it is used in Line 156 of the AuthorizationRequestFilter:
String url = redirectResolver.resolveRedirect(authRequest.getRedirectUri(), client);
And the BlacklistAwareRedirectResolver is configured as the RedirectResolver in the authz-config.xml, so that the AuthorizationRequestFilter uses the BlacklistAwareRedirectResolver as Bean for RedirectResolver.
@jansinger you were absolutely correct. I had not seen the authz-config.xml at all. Thank you very much for your help I have managed to do it now. Have a great day :D
Hello i would like to make the server vulnerable to "redirect attack" as part of some testing I am making. I found the method
validateRedirectUris
in the classDynamicClientRegistrationEndpoint.java
but there i can only remove checks regarding not leaving empty the redirecturi from the client.Which part of the code is responsible for checking if the client given uri is one of the allowed ones the server has?