Fix OAuth2AuthorizationRequestRedirectWebFilter baseurl exclude querystring

To create redirect_uri in OAuth2AuthorizationRequestRedirectWebFilter, queryParam is included in the current request-based baseUrl. So when binding to the redirectUriTemplate, the wrong type of redirect_uri may be created. Fixed: gh-5520
2018-07-23 10:47:23 +09:00 · 2018-07-23 10:47:23 +09:00 · ba29b363fc
parent 195a6943e2
commit ba29b363fc
2 changed files with 21 additions and 0 deletions
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.java
@ -199,6 +199,7 @@ public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter {

 		String baseUrl = UriComponentsBuilder.fromHttpRequest(new ServerHttpRequestDecorator(request))
 				.replacePath(request.getPath().contextPath().value())
+				.replaceQuery(null)
 				.build()
 				.toUriString();
 		uriVariables.put("baseUrl", baseUrl);
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilterTests.java
@ -135,6 +135,26 @@ public class OAuth2AuthorizationRequestRedirectWebFilterTests {
 		verify(this.authzRequestRepository).saveAuthorizationRequest(any(), any());
 	}

+	// gh-5520
+	@Test
+	public void filterWhenDoesMatchThenResolveRedirectUriExpandedExcludesQueryString() {
+		FluxExchangeResult<String> result = this.client.get()
+				.uri("https://example.com/oauth2/authorization/github?foo=bar").exchange()
+				.expectStatus().is3xxRedirection().returnResult(String.class);
+		result.assertWithDiagnostics(() -> {
+			URI location = result.getResponseHeaders().getLocation();
+			assertThat(location)
+					.hasScheme("https")
+					.hasHost("github.com")
+					.hasPath("/login/oauth/authorize")
+					.hasParameter("response_type", "code")
+					.hasParameter("client_id", "clientId")
+					.hasParameter("scope", "read:user")
+					.hasParameter("state")
+					.hasParameter("redirect_uri", "https://example.com/login/oauth2/code/github");
+		});
+	}
+
 	@Test
 	public void filterWhenExceptionThenRedirected() {
 		FilteringWebHandler webHandler = new FilteringWebHandler(e -> Mono.error(new ClientAuthorizationRequiredException(this.github.getRegistrationId())), Arrays.asList(this.filter));