From 24c3c522549399ce0854751ab1a513136bef8eb4 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Wed, 26 May 2021 12:19:54 -0600 Subject: [PATCH] Polish postLogoutRedirectUri encoding Issue gh-9511 --- .../OidcClientInitiatedLogoutSuccessHandler.java | 10 +++++----- .../OidcClientInitiatedLogoutSuccessHandlerTests.java | 8 +++++--- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java index 0fb6f28627..262e08a2aa 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java @@ -67,7 +67,7 @@ public final class OidcClientInitiatedLogoutSuccessHandler extends SimpleUrlLogo URI endSessionEndpoint = this.endSessionEndpoint(clientRegistration); if (endSessionEndpoint != null) { String idToken = idToken(authentication); - URI postLogoutRedirectUri = postLogoutRedirectUri(request); + String postLogoutRedirectUri = postLogoutRedirectUri(request); targetUrl = endpointUri(endSessionEndpoint, idToken, postLogoutRedirectUri); } } @@ -89,7 +89,7 @@ public final class OidcClientInitiatedLogoutSuccessHandler extends SimpleUrlLogo return ((OidcUser) authentication.getPrincipal()).getIdToken().getTokenValue(); } - private URI postLogoutRedirectUri(HttpServletRequest request) { + private String postLogoutRedirectUri(HttpServletRequest request) { if (this.postLogoutRedirectUri == null) { return null; } @@ -100,13 +100,13 @@ public final class OidcClientInitiatedLogoutSuccessHandler extends SimpleUrlLogo .replaceQuery(null) .fragment(null) .build(); - return URI.create (UriComponentsBuilder.fromUriString(this.postLogoutRedirectUri) + return UriComponentsBuilder.fromUriString(this.postLogoutRedirectUri) .buildAndExpand(Collections.singletonMap("baseUrl", uriComponents.toUriString())) - .toUriString()); + .toUriString(); // @formatter:on } - private String endpointUri(URI endSessionEndpoint, String idToken, URI postLogoutRedirectUri) { + private String endpointUri(URI endSessionEndpoint, String idToken, String postLogoutRedirectUri) { UriComponentsBuilder builder = UriComponentsBuilder.fromUri(endSessionEndpoint); builder.queryParam("id_token_hint", idToken); if (postLogoutRedirectUri != null) { diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandlerTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandlerTests.java index f33308f76c..f63e63da0f 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandlerTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandlerTests.java @@ -138,15 +138,17 @@ public class OidcClientInitiatedLogoutSuccessHandlerTests { "https://endpoint?" + "id_token_hint=id-token&" + "post_logout_redirect_uri=https://rp.example.org"); } + // gh-9511 @Test - public void logoutWhenUsingPostLogoutRedirectUriWithQueryParametersThenBuildItForRedirectWithEncodedQueryParameters() throws IOException, ServletException { + public void logoutWhenUsingPostLogoutRedirectUriWithQueryParametersThenBuildsItForRedirect() + throws IOException, ServletException { OAuth2AuthenticationToken token = new OAuth2AuthenticationToken(TestOidcUsers.create(), AuthorityUtils.NO_AUTHORITIES, this.registration.getRegistrationId()); this.handler.setPostLogoutRedirectUri("https://rp.example.org/context?forwardUrl=secured%3Fparam%3Dtrue"); this.request.setUserPrincipal(token); this.handler.onLogoutSuccess(this.request, this.response, token); - assertThat(this.response.getRedirectedUrl()).isEqualTo( - "https://endpoint?" + "id_token_hint=id-token&" + "post_logout_redirect_uri=https://rp.example.org/context?forwardUrl%3Dsecured%253Fparam%253Dtrue"); + assertThat(this.response.getRedirectedUrl()).isEqualTo("https://endpoint?id_token_hint=id-token&" + + "post_logout_redirect_uri=https://rp.example.org/context?forwardUrl%3Dsecured%253Fparam%253Dtrue"); } @Test