Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DefaultServerOAuth2AuthorizationRequestResolver uses fromUri 

Fixes gh-6952
This commit is contained in:
Rob Winch 2019-06-04 15:28:14 -05:00
parent abe7da6b85
commit 3c7aa4243f
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java
View File

@ -18,7 +18,6 @@ package org.springframework.security.oauth2.client.web.server;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpRequest; import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator; import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator; import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistration;
@ -160,7 +159,7 @@ public class DefaultServerOAuth2AuthorizationRequestResolver
Map<String, String> uriVariables = new HashMap<>(); Map<String, String> uriVariables = new HashMap<>();
uriVariables.put("registrationId", clientRegistration.getRegistrationId()); uriVariables.put("registrationId", clientRegistration.getRegistrationId());
String baseUrl = UriComponentsBuilder.fromHttpRequest(new ServerHttpRequestDecorator(request)) String baseUrl = UriComponentsBuilder.fromUri(request.getURI())
.replacePath(request.getPath().contextPath().value()) .replacePath(request.getPath().contextPath().value())
.replaceQuery(null) .replaceQuery(null)
.build() .build()

14
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolverTests.java
View File

@ -90,6 +90,20 @@ public class DefaultServerOAuth2AuthorizationRequestResolverTests {
return this.resolver.resolve(exchange).block(); return this.resolver.resolve(exchange).block();
} }
@Test
public void resolveWhenForwardedHeadersClientRegistrationFoundThenWorks() {
when(this.clientRegistrationRepository.findByRegistrationId(any())).thenReturn(
Mono.just(this.registration));
ServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/oauth2/authorization/id").header("X-Forwarded-Host", "evil.com"));
OAuth2AuthorizationRequest request = this.resolver.resolve(exchange).block();
assertThat(request.getAuthorizationRequestUri()).matches("https://example.com/login/oauth/authorize\\?" +
"response_type=code&client_id=client-id&" +
"scope=read:user&state=.*?&" +
"redirect_uri=/login/oauth2/code/registration-id");
}
@Test @Test
public void resolveWhenAuthorizationRequestWithValidPkceClientThenResolves() { public void resolveWhenAuthorizationRequestWithValidPkceClientThenResolves() {
when(this.clientRegistrationRepository.findByRegistrationId(any())).thenReturn( when(this.clientRegistrationRepository.findByRegistrationId(any())).thenReturn(