Preserve exact original redirect URL in OAuth client (#1281)

mjcheetham · web-flow · commit 4e8674aeb623 · 2023-06-08T09:53:28.000-07:00
The OAuth 2.0 spec requires that redirect URLs be matched _exactly_ if specified, including matching trailing slashes. Since the .NET `Uri` type's `.ToString()` method will append a trailing slash to the end of path-less URLs (e.g., "http://foo" => "http://foo/") we need to use the `.OriginalString` property instead. Shoring up this area in anticipation for changes to support multiple GitHub redirect URLs with #594
diff --git a/src/shared/Core.Tests/Authentication/OAuth2ClientTests.cs b/src/shared/Core.Tests/Authentication/OAuth2ClientTests.cs
@@ -44,6 +44,55 @@ public async Task OAuth2Client_GetAuthorizationCodeAsync()
             Assert.Equal(expectedAuthCode, result.Code);
         }
 
+        [Theory]
+        [InlineData("http://localhost")]
+        [InlineData("http://localhost/")]
+        [InlineData("http://localhost/oauth-callback")]
+        [InlineData("http://localhost/oauth-callback/")]
+        [InlineData("http://127.0.0.1")]
+        [InlineData("http://127.0.0.1/")]
+        [InlineData("http://127.0.0.1/oauth-callback")]
+        [InlineData("http://127.0.0.1/oauth-callback/")]
+        public async Task OAuth2Client_GetAuthorizationCodeAsync_RedirectUrlOriginalStringPreserved(string expectedRedirectUrl)
+        {
+            var baseUri = new Uri("https://example.com");
+            OAuth2ServerEndpoints endpoints = CreateEndpoints(baseUri);
+
+            var httpHandler = new TestHttpMessageHandler {ThrowOnUnexpectedRequest = true};
+
+            OAuth2Application app = new OAuth2Application(TestClientId)
+            {
+                Secret = TestClientSecret,
+                RedirectUris = new[] {new Uri(expectedRedirectUrl)}
+            };
+
+            var server = new TestOAuth2Server(endpoints);
+            server.RegisterApplication(app);
+            server.Bind(httpHandler);
+            server.TokenGenerator.AuthCodes.Add("unused");
+            server.AuthorizationEndpointInvoked += (_, request) =>
+            {
+                IDictionary<string, string> actualParams = request.RequestUri.GetQueryParameters();
+                Assert.True(actualParams.TryGetValue(OAuth2Constants.RedirectUriParameter, out string actualRedirectUri));
+                Assert.Equal(expectedRedirectUrl, actualRedirectUri);
+            };
+
+            IOAuth2WebBrowser browser = new TestOAuth2WebBrowser(httpHandler);
+
+            var redirectUri = new Uri(expectedRedirectUrl);
+
+            var trace2 = new NullTrace2();
+            OAuth2Client client =  new OAuth2Client(
+                new HttpClient(httpHandler),
+                endpoints,
+                TestClientId,
+                trace2,
+                redirectUri,
+                TestClientSecret);
+
+            await client.GetAuthorizationCodeAsync(new[] { "unused" }, browser, null, CancellationToken.None);
+        }
+
         [Fact]
         public async Task OAuth2Client_GetAuthorizationCodeAsync_ExtraQueryParams()
         {
diff --git a/src/shared/Core.Tests/Authentication/OAuth2SystemWebBrowserTests.cs b/src/shared/Core.Tests/Authentication/OAuth2SystemWebBrowserTests.cs
@@ -0,0 +1,66 @@
+using System;
+using GitCredentialManager.Authentication.OAuth;
+using GitCredentialManager.Tests.Objects;
+using Xunit;
+
+namespace GitCredentialManager.Tests.Authentication;
+
+public class OAuth2SystemWebBrowserTests
+{
+    [Fact]
+    public void OAuth2SystemWebBrowser_UpdateRedirectUri_NonLoopback_ThrowsError()
+    {
+        var env = new TestEnvironment();
+        var options = new OAuth2WebBrowserOptions();
+        var browser = new OAuth2SystemWebBrowser(env, options);
+
+        Assert.Throws<ArgumentException>(() => browser.UpdateRedirectUri(new Uri("http://example.com")));
+    }
+
+    [Theory]
+    [InlineData("http://localhost:1234", "http://localhost:1234")]
+    [InlineData("http://localhost:1234/", "http://localhost:1234/")]
+    [InlineData("http://localhost:1234/oauth-callback", "http://localhost:1234/oauth-callback")]
+    [InlineData("http://localhost:1234/oauth-callback/", "http://localhost:1234/oauth-callback/")]
+    [InlineData("http://127.0.0.7:1234", "http://127.0.0.7:1234")]
+    [InlineData("http://127.0.0.7:1234/", "http://127.0.0.7:1234/")]
+    [InlineData("http://127.0.0.7:1234/oauth-callback", "http://127.0.0.7:1234/oauth-callback")]
+    [InlineData("http://127.0.0.7:1234/oauth-callback/", "http://127.0.0.7:1234/oauth-callback/")]
+    public void OAuth2SystemWebBrowser_UpdateRedirectUri_SpecificPort(string input, string expected)
+    {
+        var env = new TestEnvironment();
+        var options = new OAuth2WebBrowserOptions();
+        var browser = new OAuth2SystemWebBrowser(env, options);
+
+        Uri actualUri = browser.UpdateRedirectUri(new Uri(input));
+
+        Assert.Equal(expected, actualUri.OriginalString);
+    }
+
+    [Theory]
+    [InlineData("http://localhost")]
+    [InlineData("http://localhost/")]
+    [InlineData("http://localhost/oauth-callback")]
+    [InlineData("http://localhost/oauth-callback/")]
+    [InlineData("http://127.0.0.7")]
+    [InlineData("http://127.0.0.7/")]
+    [InlineData("http://127.0.0.7/oauth-callback")]
+    [InlineData("http://127.0.0.7/oauth-callback/")]
+    public void OAuth2SystemWebBrowser_UpdateRedirectUri_AnyPort(string input)
+    {
+        var env = new TestEnvironment();
+        var options = new OAuth2WebBrowserOptions();
+        var browser = new OAuth2SystemWebBrowser(env, options);
+
+        var inputUri = new Uri(input);
+        Uri actualUri = browser.UpdateRedirectUri(inputUri);
+
+        Assert.Equal(inputUri.Scheme, actualUri.Scheme);
+        Assert.Equal(inputUri.Host, actualUri.Host);
+        Assert.Equal(
+            inputUri.GetComponents(UriComponents.Path, UriFormat.Unescaped),
+            actualUri.GetComponents(UriComponents.Path, UriFormat.Unescaped)
+        );
+        Assert.False(actualUri.IsDefaultPort);
+    }
+}
diff --git a/src/shared/Core/Authentication/OAuth/OAuth2Client.cs b/src/shared/Core/Authentication/OAuth/OAuth2Client.cs
@@ -138,7 +138,10 @@ public async Task<OAuth2AuthorizationCodeResult> GetAuthorizationCodeAsync(IEnum
             if (_redirectUri != null)
             {
                 redirectUri = browser.UpdateRedirectUri(_redirectUri);
-                queryParams[OAuth2Constants.RedirectUriParameter] = redirectUri.ToString();
+
+                // We must use the .OriginalString property here over .ToString() because OAuth requires the redirect
+                // URLs to be compared exactly, respecting missing/present trailing slashes, byte-for-byte.
+                queryParams[OAuth2Constants.RedirectUriParameter] = redirectUri.OriginalString;
             }
 
             string scopesStr = string.Join(" ", scopes);
@@ -235,7 +238,7 @@ public async Task<OAuth2TokenResult> GetTokenByAuthorizationCodeAsync(OAuth2Auth
 
             if (authorizationCodeResult.RedirectUri != null)
             {
-                formData[OAuth2Constants.RedirectUriParameter] = authorizationCodeResult.RedirectUri.ToString();
+                formData[OAuth2Constants.RedirectUriParameter] = authorizationCodeResult.RedirectUri.OriginalString;
             }
 
             if (authorizationCodeResult.CodeVerifier != null)
diff --git a/src/shared/GitHub/GitHubConstants.cs b/src/shared/GitHub/GitHubConstants.cs
@@ -14,7 +14,7 @@ public static class GitHubConstants
 
         // [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="OAuth2 public client application 'secrets' are required and permitted to be public")]
         public const string OAuthClientSecret = "18867509d956965542b521a529a79bb883344c90";
-        public static readonly Uri OAuthRedirectUri = new Uri("http://localhost/");
+        public static readonly Uri OAuthRedirectUri = new Uri("http://localhost/"); // Note that the trailing slash is important!
         public static readonly Uri OAuthAuthorizationEndpointRelativeUri = new Uri("/login/oauth/authorize", UriKind.Relative);
         public static readonly Uri OAuthTokenEndpointRelativeUri = new Uri("/login/oauth/access_token", UriKind.Relative);
         public static readonly Uri OAuthDeviceEndpointRelativeUri = new Uri("/login/device/code", UriKind.Relative);
diff --git a/src/shared/TestInfrastructure/Objects/TestOAuth2Server.cs b/src/shared/TestInfrastructure/Objects/TestOAuth2Server.cs
@@ -71,9 +71,9 @@ private Task<HttpResponseMessage> OnAuthorizationEndpointAsync(HttpRequestMessag
                 throw new Exception($"Unknown OAuth application '{clientId}'");
             }
 
-            // Redirect is optional, but if it is specified it must match a registered URI
-            reqQuery.TryGetValue(OAuth2Constants.RedirectUriParameter, out string redirectUriStr);
-            Uri redirectUri = app.ValidateRedirect(redirectUriStr);
+            // Redirect is optional, but if it is specified it must match a registered URL
+            reqQuery.TryGetValue(OAuth2Constants.RedirectUriParameter, out string redirectUrlStr);
+            Uri redirectUri = app.ValidateRedirect(redirectUrlStr);
 
             // Scope is optional
             reqQuery.TryGetValue(OAuth2Constants.ScopeParameter, out string scopeStr);
@@ -104,7 +104,7 @@ private Task<HttpResponseMessage> OnAuthorizationEndpointAsync(HttpRequestMessag
 
             // Create the auth code grant
             OAuth2Application.AuthCodeGrant grant = app.CreateAuthorizationCodeGrant(
-                TokenGenerator, scopes, redirectUriStr, codeChallenge, codeChallengeMethod);
+                TokenGenerator, scopes, redirectUrlStr, codeChallenge, codeChallengeMethod);
 
             var respQuery = new Dictionary<string, string>
             {
@@ -527,23 +527,25 @@ public TokenEndpointResponseJson CreateTokenByDeviceCodeGrant(TestOAuth2ServerTo
             };
         }
 
-        private bool IsValidRedirect(Uri uri)
+        private bool IsValidRedirect(string url)
         {
             foreach (Uri redirectUri in RedirectUris)
             {
-                if (redirectUri == uri)
+                // We only accept exact matches, including trailing slashes and case sensitivity
+                if (StringComparer.Ordinal.Equals(redirectUri.OriginalString, url))
                 {
                     return true;
                 }
 
-                // For localhost we ignore the port number
-                if (redirectUri.IsLoopback && uri.IsLoopback)
+                // For loopback URLs _only_ we ignore the port number
+                if (Uri.TryCreate(url, UriKind.Absolute, out Uri uri) && uri.IsLoopback && redirectUri.IsLoopback)
                 {
-                    var cmp = StringComparer.OrdinalIgnoreCase;
+                    // *Case-sensitive* comparison of scheme, host and path
+                    var cmp = StringComparer.Ordinal;
 
-                    // Uri::Authority does not include port, whereas Uri::Host does
+                    // Uri::Authority includes port, whereas Uri::Host does not
                     return cmp.Equals(redirectUri.Scheme, uri.Scheme) &&
-                           cmp.Equals(redirectUri.Authority, uri.Authority) &&
+                           cmp.Equals(redirectUri.Host, uri.Host) &&
                            cmp.Equals(redirectUri.GetComponents(UriComponents.Path, UriFormat.UriEscaped),
                                uri.GetComponents(UriComponents.Path, UriFormat.UriEscaped));
                 }
@@ -552,26 +554,26 @@ private bool IsValidRedirect(Uri uri)
             return false;
         }
 
-        internal Uri ValidateRedirect(string redirectStr)
+        internal Uri ValidateRedirect(string redirectUrl)
         {
             // Use default redirect URI if one has not been specified for this grant
-            if (redirectStr == null)
+            if (redirectUrl == null)
             {
                 return RedirectUris.First();
             }
 
-            if (!Uri.TryCreate(redirectStr, UriKind.Absolute, out Uri redirectUri))
+            if (!Uri.TryCreate(redirectUrl, UriKind.Absolute, out _))
             {
-                throw new Exception($"Redirect '{redirectStr}' is not a valid URI");
+                throw new Exception($"Redirect '{redirectUrl}' is not a valid URL");
             }
 
-            if (!IsValidRedirect(redirectUri))
+            if (!IsValidRedirect(redirectUrl))
             {
-                // If a redirect URI has been specified, it must match one of those that has been previously registered
-                throw new Exception($"Redirect URI '{redirectUri}' does not match any registered values.");
+                // If a redirect URL has been specified, it must match one of those that has been previously registered
+                throw new Exception($"Redirect URL '{redirectUrl}' does not match any registered values.");
             }
 
-            return redirectUri;
+            return new Uri(redirectUrl);
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,10 @@ public async Task<OAuth2AuthorizationCodeResult> GetAuthorizationCodeAsync(IEnum`
`138`	`138`	`if (_redirectUri != null)`
`139`	`139`	`{`
`140`	`140`	`redirectUri = browser.UpdateRedirectUri(_redirectUri);`
`141`		`- queryParams[OAuth2Constants.RedirectUriParameter] = redirectUri.ToString();`
	`141`	`+`
	`142`	`+ // We must use the .OriginalString property here over .ToString() because OAuth requires the redirect`
	`143`	`+ // URLs to be compared exactly, respecting missing/present trailing slashes, byte-for-byte.`
	`144`	`+ queryParams[OAuth2Constants.RedirectUriParameter] = redirectUri.OriginalString;`
`142`	`145`	`}`
`143`	`146`
`144`	`147`	`string scopesStr = string.Join(" ", scopes);`
`@@ -235,7 +238,7 @@ public async Task<OAuth2TokenResult> GetTokenByAuthorizationCodeAsync(OAuth2Auth`
`235`	`238`
`236`	`239`	`if (authorizationCodeResult.RedirectUri != null)`
`237`	`240`	`{`
`238`		`- formData[OAuth2Constants.RedirectUriParameter] = authorizationCodeResult.RedirectUri.ToString();`
	`241`	`+ formData[OAuth2Constants.RedirectUriParameter] = authorizationCodeResult.RedirectUri.OriginalString;`
`239`	`242`	`}`
`240`	`243`
`241`	`244`	`if (authorizationCodeResult.CodeVerifier != null)`
Original file line number	Diff line number	Diff line change
`@@ -71,9 +71,9 @@ private Task<HttpResponseMessage> OnAuthorizationEndpointAsync(HttpRequestMessag`
`71`	`71`	`throw new Exception($"Unknown OAuth application '{clientId}'");`
`72`	`72`	`}`
`73`	`73`
`74`		`- // Redirect is optional, but if it is specified it must match a registered URI`
`75`		`- reqQuery.TryGetValue(OAuth2Constants.RedirectUriParameter, out string redirectUriStr);`
`76`		`- Uri redirectUri = app.ValidateRedirect(redirectUriStr);`
	`74`	`+ // Redirect is optional, but if it is specified it must match a registered URL`
	`75`	`+ reqQuery.TryGetValue(OAuth2Constants.RedirectUriParameter, out string redirectUrlStr);`
	`76`	`+ Uri redirectUri = app.ValidateRedirect(redirectUrlStr);`
`77`	`77`
`78`	`78`	`// Scope is optional`
`79`	`79`	`reqQuery.TryGetValue(OAuth2Constants.ScopeParameter, out string scopeStr);`
`@@ -104,7 +104,7 @@ private Task<HttpResponseMessage> OnAuthorizationEndpointAsync(HttpRequestMessag`
`104`	`104`
`105`	`105`	`// Create the auth code grant`
`106`	`106`	`OAuth2Application.AuthCodeGrant grant = app.CreateAuthorizationCodeGrant(`
`107`		`- TokenGenerator, scopes, redirectUriStr, codeChallenge, codeChallengeMethod);`
	`107`	`+ TokenGenerator, scopes, redirectUrlStr, codeChallenge, codeChallengeMethod);`
`108`	`108`
`109`	`109`	`var respQuery = new Dictionary<string, string>`
`110`	`110`	`{`
`@@ -527,23 +527,25 @@ public TokenEndpointResponseJson CreateTokenByDeviceCodeGrant(TestOAuth2ServerTo`
`527`	`527`	`};`
`528`	`528`	`}`
`529`	`529`
`530`		`- private bool IsValidRedirect(Uri uri)`
	`530`	`+ private bool IsValidRedirect(string url)`
`531`	`531`	`{`
`532`	`532`	`foreach (Uri redirectUri in RedirectUris)`
`533`	`533`	`{`
`534`		`- if (redirectUri == uri)`
	`534`	`+ // We only accept exact matches, including trailing slashes and case sensitivity`
	`535`	`+ if (StringComparer.Ordinal.Equals(redirectUri.OriginalString, url))`
`535`	`536`	`{`
`536`	`537`	`return true;`
`537`	`538`	`}`
`538`	`539`
`539`		`- // For localhost we ignore the port number`
`540`		`- if (redirectUri.IsLoopback && uri.IsLoopback)`
	`540`	`+ // For loopback URLs _only_ we ignore the port number`
	`541`	`+ if (Uri.TryCreate(url, UriKind.Absolute, out Uri uri) && uri.IsLoopback && redirectUri.IsLoopback)`
`541`	`542`	`{`
`542`		`- var cmp = StringComparer.OrdinalIgnoreCase;`
	`543`	`+ // Case-sensitive comparison of scheme, host and path`
	`544`	`+ var cmp = StringComparer.Ordinal;`
`543`	`545`
`544`		`- // Uri::Authority does not include port, whereas Uri::Host does`
	`546`	`+ // Uri::Authority includes port, whereas Uri::Host does not`
`545`	`547`	`return cmp.Equals(redirectUri.Scheme, uri.Scheme) &&`
`546`		`- cmp.Equals(redirectUri.Authority, uri.Authority) &&`
	`548`	`+ cmp.Equals(redirectUri.Host, uri.Host) &&`
`547`	`549`	`cmp.Equals(redirectUri.GetComponents(UriComponents.Path, UriFormat.UriEscaped),`
`548`	`550`	`uri.GetComponents(UriComponents.Path, UriFormat.UriEscaped));`
`549`	`551`	`}`
`@@ -552,26 +554,26 @@ private bool IsValidRedirect(Uri uri)`
`552`	`554`	`return false;`
`553`	`555`	`}`
`554`	`556`
`555`		`- internal Uri ValidateRedirect(string redirectStr)`
	`557`	`+ internal Uri ValidateRedirect(string redirectUrl)`
`556`	`558`	`{`
`557`	`559`	`// Use default redirect URI if one has not been specified for this grant`
`558`		`- if (redirectStr == null)`
	`560`	`+ if (redirectUrl == null)`
`559`	`561`	`{`
`560`	`562`	`return RedirectUris.First();`
`561`	`563`	`}`
`562`	`564`
`563`		`- if (!Uri.TryCreate(redirectStr, UriKind.Absolute, out Uri redirectUri))`
	`565`	`+ if (!Uri.TryCreate(redirectUrl, UriKind.Absolute, out _))`
`564`	`566`	`{`
`565`		`- throw new Exception($"Redirect '{redirectStr}' is not a valid URI");`
	`567`	`+ throw new Exception($"Redirect '{redirectUrl}' is not a valid URL");`
`566`	`568`	`}`
`567`	`569`
`568`		`- if (!IsValidRedirect(redirectUri))`
	`570`	`+ if (!IsValidRedirect(redirectUrl))`
`569`	`571`	`{`
`570`		`- // If a redirect URI has been specified, it must match one of those that has been previously registered`
`571`		`- throw new Exception($"Redirect URI '{redirectUri}' does not match any registered values.");`
	`572`	`+ // If a redirect URL has been specified, it must match one of those that has been previously registered`
	`573`	`+ throw new Exception($"Redirect URL '{redirectUrl}' does not match any registered values.");`
`572`	`574`	`}`
`573`	`575`
`574`		`- return redirectUri;`
	`576`	`+ return new Uri(redirectUrl);`
`575`	`577`	`}`
`576`	`578`	`}`
`577`	`579`	`}`