diff --git a/policies/client_registration/client_registration.rego b/policies/client_registration/client_registration.rego index ad1fa9e0b..e3299ed36 100644 --- a/policies/client_registration/client_registration.rego +++ b/policies/client_registration/client_registration.rego @@ -13,7 +13,7 @@ allow if { parse_uri(url) := obj if { is_string(url) - url_regex := `^(?P[a-z][a-z0-9+.-]*):(?://(?P((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|0.0.0.0|\[::1\])(?::(?P[0-9]+))?))?(?P/[A-Za-z0-9/.-]*)$` + url_regex := `^(?P[a-z][a-z0-9+.-]*):(?://(?P((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|0.0.0.0|\[::1\])(?::(?P[0-9]+))?))?(?P/[A-Za-z0-9/.-]*)?(?P\?[A-Za-z0-9/.-=]*)?$` [matches] := regex.find_all_string_submatch_n(url_regex, url, 1) obj := {"scheme": matches[1], "authority": matches[2], "host": matches[3], "port": matches[4], "path": matches[5]} } @@ -31,9 +31,6 @@ secure_url(x) if { url.host != "127.0.0.1" url.host != "0.0.0.0" url.host != "[::1]" - - # Must be standard port for HTTPS - url.port == "" } host_matches_client_uri(_) if { diff --git a/policies/client_registration/client_registration_test.rego b/policies/client_registration/client_registration_test.rego index 5bf563d27..568a6b297 100644 --- a/policies/client_registration/client_registration_test.rego +++ b/policies/client_registration/client_registration_test.rego @@ -212,7 +212,14 @@ test_web_redirect_uri if { client_registration.allow with input.client_metadata as { "application_type": "web", "client_uri": "https://example.com/", - "redirect_uris": ["https://example.com/second/callback", "https://example.com/callback"], + "redirect_uris": ["https://example.com/second/callback", "https://example.com/callback", "https://example.com/callback?query=value"], + } + + # HTTPS redirect_uri with non-standard port + client_registration.allow with input.client_metadata as { + "application_type": "web", + "client_uri": "https://example.com/", + "redirect_uris": ["https://example.com:8443/callback"], } } @@ -289,6 +296,14 @@ test_web_redirect_uri_localhost_not_allowed if { } } +test_web_redirect_uri_with_query if { + client_registration.allow with input.client_metadata as { + "application_type": "web", + "client_uri": "https://example.com/", + "redirect_uris": ["https://example.com/callback?query=value", "https://example.com?query=value"], + } +} + test_native_redirect_uri_allowed if { # This has all the redirect URIs types we're supporting for native apps client_registration.allow with input.client_metadata as {