Prevent double-escaping of authorize URL parameters

If the authorization URL in the OAuth2 provider configuration contained query parameters with escaped characters, these characters were escaped a second time. This commit fixes it.

It is relevant to support the OIDC claims parameter (see https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter).

Fixes gh-7871
This commit is contained in:
Manuel Bleichenbacher 2020-01-30 20:31:12 +01:00 committed by Joe Grandja
parent 0012e24c46
commit 1e4736f9b3
2 changed files with 49 additions and 9 deletions

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2020 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -23,6 +23,7 @@ import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap; import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponentsBuilder; import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;
import java.io.Serializable; import java.io.Serializable;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
@ -376,29 +377,34 @@ public final class OAuth2AuthorizationRequest implements Serializable {
private String buildAuthorizationRequestUri() { private String buildAuthorizationRequestUri() {
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>(); MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
parameters.set(OAuth2ParameterNames.RESPONSE_TYPE, this.responseType.getValue()); parameters.set(OAuth2ParameterNames.RESPONSE_TYPE, encodeQueryParam(this.responseType.getValue()));
parameters.set(OAuth2ParameterNames.CLIENT_ID, this.clientId); parameters.set(OAuth2ParameterNames.CLIENT_ID, encodeQueryParam(this.clientId));
if (!CollectionUtils.isEmpty(this.scopes)) { if (!CollectionUtils.isEmpty(this.scopes)) {
parameters.set(OAuth2ParameterNames.SCOPE, parameters.set(OAuth2ParameterNames.SCOPE,
StringUtils.collectionToDelimitedString(this.scopes, " ")); encodeQueryParam(StringUtils.collectionToDelimitedString(this.scopes, " ")));
} }
if (this.state != null) { if (this.state != null) {
parameters.set(OAuth2ParameterNames.STATE, this.state); parameters.set(OAuth2ParameterNames.STATE, encodeQueryParam(this.state));
} }
if (this.redirectUri != null) { if (this.redirectUri != null) {
parameters.set(OAuth2ParameterNames.REDIRECT_URI, this.redirectUri); parameters.set(OAuth2ParameterNames.REDIRECT_URI, encodeQueryParam(this.redirectUri));
} }
if (!CollectionUtils.isEmpty(this.additionalParameters)) { if (!CollectionUtils.isEmpty(this.additionalParameters)) {
this.additionalParameters.forEach((k, v) -> parameters.set(k, v.toString())); this.additionalParameters.forEach((k, v) ->
parameters.set(encodeQueryParam(k), encodeQueryParam(v.toString())));
} }
return UriComponentsBuilder.fromHttpUrl(this.authorizationUri) return UriComponentsBuilder.fromHttpUrl(this.authorizationUri)
.queryParams(parameters) .queryParams(parameters)
.encode(StandardCharsets.UTF_8)
.build() .build()
.toUriString(); .toUriString();
} }
// Encode query parameter value according to RFC 3986
private static String encodeQueryParam(String value) {
return UriUtils.encodeQueryParam(value, StandardCharsets.UTF_8);
}
private LinkedHashSet<String> toLinkedHashSet(String... scope) { private LinkedHashSet<String> toLinkedHashSet(String... scope) {
LinkedHashSet<String> result = new LinkedHashSet<>(); LinkedHashSet<String> result = new LinkedHashSet<>();
Collections.addAll(result, scope); Collections.addAll(result, scope);

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2020 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -307,4 +307,38 @@ public class OAuth2AuthorizationRequestTests {
"response_type=code&client_id=client-id&state=state&" + "response_type=code&client_id=client-id&state=state&" +
"redirect_uri=https://example.com/authorize/oauth2/code/registration-id"); "redirect_uri=https://example.com/authorize/oauth2/code/registration-id");
} }
@Test
public void buildWhenAuthorizationUriIncludesEscapedQueryParameterThenAuthorizationRequestUrlIncludesIt() {
OAuth2AuthorizationRequest authorizationRequest =
TestOAuth2AuthorizationRequests.request()
.authorizationUri(AUTHORIZATION_URI +
"?claims=%7B%22userinfo%22%3A%7B%22email_verified%22%3A%7B%22essential%22%3Atrue%7D%7D%7D").build();
assertThat(authorizationRequest.getAuthorizationRequestUri()).isNotNull();
assertThat(authorizationRequest.getAuthorizationRequestUri())
.isEqualTo("https://provider.com/oauth2/authorize?" +
"claims=%7B%22userinfo%22%3A%7B%22email_verified%22%3A%7B%22essential%22%3Atrue%7D%7D%7D&" +
"response_type=code&client_id=client-id&state=state&" +
"redirect_uri=https://example.com/authorize/oauth2/code/registration-id");
}
@Test
public void buildWhenNonAsciiAdditionalParametersThenProperlyEncoded() {
Map<String, Object> additionalParameters = new HashMap<>();
additionalParameters.put("item amount", "19.95" + '\u20ac');
additionalParameters.put("item name", "H" + '\u00c5' + "M" + '\u00d6');
additionalParameters.put('\u00e2' + "ge", "4" + '\u00bd');
OAuth2AuthorizationRequest authorizationRequest =
TestOAuth2AuthorizationRequests.request()
.additionalParameters(additionalParameters)
.build();
assertThat(authorizationRequest.getAuthorizationRequestUri()).isNotNull();
assertThat(authorizationRequest.getAuthorizationRequestUri())
.isEqualTo("https://example.com/login/oauth/authorize?" +
"response_type=code&client_id=client-id&state=state&" +
"redirect_uri=https://example.com/authorize/oauth2/code/registration-id&" +
"item%20amount=19.95%E2%82%AC&%C3%A2ge=4%C2%BD&item%20name=H%C3%85M%C3%96");
}
} }