OidcConfigurationProvider validate returned issuer

Validate the issuer that was returned matches the issuer that was was requested. Issue: gh-5355
2025-05-31 09:12:14 +00:00 · 2018-05-18 13:15:27 -05:00 · 2018-05-18 13:15:27 -05:00 · 9d55a64465
commit 9d55a64465
parent 81d214e81b
2 changed files with 25 additions and 3 deletions
--- a/config/src/main/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProvider.java
+++ b/config/src/main/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProvider.java
@ -70,6 +70,11 @@ public final class OidcConfigurationProvider {
 	public static ClientRegistration.Builder issuer(String issuer) {
 		String openidConfiguration = getOpenidConfiguration(issuer);
 		OIDCProviderMetadata metadata = parse(openidConfiguration);
+		String metadataIssuer = metadata.getIssuer().getValue();
+		if (!issuer.equals(metadataIssuer)) {
+			throw new IllegalStateException("The Issuer \"" + metadataIssuer + "\" provided in the OpenID Configuration did not match the requested issuer \"" + issuer + "\"");
+		}
+
 		String name = URI.create(issuer).getHost();
 		ClientAuthenticationMethod method = getClientAuthenticationMethod(issuer, metadata.getTokenEndpointAuthMethods());
 		List<GrantType> grantTypes = metadata.getGrantTypes();
--- a/config/src/test/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProviderTests.java
+++ b/config/src/test/java/org/springframework/security/config/oauth2/client/oidc/OidcConfigurationProviderTests.java
@ -205,20 +205,37 @@ public class OidcConfigurationProviderTests {
 	@Test
 	public void issuerWhenEmptyStringThenMeaningfulErrorMessage() {
 		assertThatThrownBy(() -> OidcConfigurationProvider.issuer(""))
-			.hasMessageContaining("Unable to resolve the OpenID Configuration with the provided Issuer of \"\"");
+				.hasMessageContaining("Unable to resolve the OpenID Configuration with the provided Issuer of \"\"");
 	}

-	private ClientRegistration registration(String path) throws Exception {
+	@Test
+	public void issuerWhenOpenIdConfigurationDoesNotMatchThenMeaningfulErrorMessage()  throws Exception {
+		this.issuer = createIssuerFromServer("");
+		String body = this.mapper.writeValueAsString(this.response);
+		MockResponse mockResponse = new MockResponse()
+				.setBody(body)
+				.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
+		this.server.enqueue(mockResponse);
+		assertThatThrownBy(() -> OidcConfigurationProvider.issuer(this.issuer))
+				.hasMessageContaining("The Issuer \"https://example.com\" provided in the OpenID Configuration did not match the requested issuer \"" + this.issuer + "\"");
+	}
+
+	private ClientRegistration registration(String path) throws Exception {
+		this.issuer = createIssuerFromServer(path);
+		this.response.put("issuer", this.issuer);
 		String body = this.mapper.writeValueAsString(this.response);
 		MockResponse mockResponse = new MockResponse()
 				.setBody(body)
 				.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE);
 		this.server.enqueue(mockResponse);
-		this.issuer = this.server.url(path).toString();

 		return OidcConfigurationProvider.issuer(this.issuer)
 			.clientId("client-id")
 			.clientSecret("client-secret")
 			.build();
 	}
+
+	private String createIssuerFromServer(String path) {
+		return this.server.url(path).toString();
+	}
 }