Closed erev0s closed 5 years ago
jansinger
commented
5 years ago Take a look into the BlacklistAwareRedirectResolver openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java which extends the Spring DefaultRedirectResolver.
The RedirectResolver is used in the AuthorizationRequestFilter to verify the Authorization Request.
erev0s
commented
5 years ago @jansinger thank you for the reply. I checked the BlacklistAwareRedirectResolver but as i saw it is only used for test cases. Please correct me if i am mistaken.
jansinger
commented
5 years ago As I said it is used in Line 156 of the AuthorizationRequestFilter:
String url = redirectResolver.resolveRedirect(authRequest.getRedirectUri(), client);
And the BlacklistAwareRedirectResolver is configured as the RedirectResolver in the authz-config.xml, so that the AuthorizationRequestFilter uses the BlacklistAwareRedirectResolver as Bean for RedirectResolver.
erev0s
commented
5 years ago @jansinger you were absolutely correct. I had not seen the authz-config.xml at all. Thank you very much for your help I have managed to do it now. Have a great day :D
Hello i would like to make the server vulnerable to "redirect attack" as part of some testing I am making. I found the method
validateRedirectUrisin the classDynamicClientRegistrationEndpoint.javabut there i can only remove checks regarding not leaving empty the redirecturi from the client.Which part of the code is responsible for checking if the client given uri is one of the allowed ones the server has?