Skip to content
This repository was archived by the owner on Sep 10, 2024. It is now read-only.

Commit 45e3fb0

Browse files
sandhosesandhose
committed
Allow HTTPS redirectors for native apps
1 parent ae3213f commit 45e3fb0

File tree

2 files changed

+42
-30
lines changed

2 files changed

+42
-30
lines changed

policies/client_registration.rego

Lines changed: 31 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,11 @@ parse_uri(url) = obj {
1717
obj := {"scheme": matches[1], "authority": matches[2], "host": matches[3], "port": matches[4], "path": matches[5]}
1818
}
1919

20+
secure_url(x) {
21+
x
22+
data.client_registration.allow_insecure_uris
23+
}
24+
2025
secure_url(x) {
2126
url := parse_uri(x)
2227
url.scheme == "https"
@@ -31,6 +36,21 @@ secure_url(x) {
3136
url.port == ""
3237
}
3338

39+
host_matches_client_uri(x) {
40+
x
41+
42+
# Do not check we allow host mismatch
43+
data.client_registration.allow_host_mismatch
44+
}
45+
46+
host_matches_client_uri(x) {
47+
x
48+
49+
# Do not check if the client_uri is missing and we allow that
50+
data.client_registration.allow_missing_client_uri
51+
not data.client_metadata.client_uri
52+
}
53+
3454
host_matches_client_uri(x) {
3555
client_uri := parse_uri(input.client_metadata.client_uri)
3656
uri := parse_uri(x)
@@ -43,43 +63,36 @@ violation[{"msg": "missing client_uri"}] {
4363
}
4464

4565
violation[{"msg": "invalid client_uri"}] {
46-
not data.client_registration.allow_insecure_uris
4766
not secure_url(input.client_metadata.client_uri)
4867
}
4968

5069
violation[{"msg": "invalid tos_uri"}] {
5170
input.client_metadata.tos_uri
52-
not data.client_registration.allow_insecure_uris
5371
not secure_url(input.client_metadata.tos_uri)
5472
}
5573

5674
violation[{"msg": "tos_uri not on the same host as the client_uri"}] {
5775
input.client_metadata.tos_uri
58-
not data.client_registration.allow_host_mismatch
5976
not host_matches_client_uri(input.client_metadata.tos_uri)
6077
}
6178

6279
violation[{"msg": "invalid policy_uri"}] {
6380
input.client_metadata.policy_uri
64-
not data.client_registration.allow_insecure_uris
6581
not secure_url(input.client_metadata.policy_uri)
6682
}
6783

6884
violation[{"msg": "policy_uri not on the same host as the client_uri"}] {
6985
input.client_metadata.policy_uri
70-
not data.client_registration.allow_host_mismatch
7186
not host_matches_client_uri(input.client_metadata.policy_uri)
7287
}
7388

7489
violation[{"msg": "invalid logo_uri"}] {
7590
input.client_metadata.logo_uri
76-
not data.client_registration.allow_insecure_uris
7791
not secure_url(input.client_metadata.logo_uri)
7892
}
7993

8094
violation[{"msg": "logo_uri not on the same host as the client_uri"}] {
8195
input.client_metadata.logo_uri
82-
not data.client_registration.allow_host_mismatch
8396
not host_matches_client_uri(input.client_metadata.logo_uri)
8497
}
8598

@@ -108,22 +121,6 @@ violation[{"msg": "empty redirect_uris"}] {
108121
count(input.client_metadata.redirect_uris) == 0
109122
}
110123

111-
violation[{"msg": "invalid redirect_uri", "redirect_uri": redirect_uri}] {
112-
# For 'web' apps, we should verify that redirect_uris are secure
113-
input.client_metadata.application_type != "native"
114-
some redirect_uri in input.client_metadata.redirect_uris
115-
not data.client_registration.allow_host_mismatch
116-
not host_matches_client_uri(redirect_uri)
117-
}
118-
119-
violation[{"msg": "invalid redirect_uri"}] {
120-
# For 'web' apps, we should verify that redirect_uris are secure
121-
input.client_metadata.application_type != "native"
122-
some redirect_uri in input.client_metadata.redirect_uris
123-
not data.client_registration.allow_insecure_uris
124-
not secure_url(redirect_uri)
125-
}
126-
127124
# Used to verify that a reverse-dns formatted scheme is a strict subdomain of
128125
# another host.
129126
# This is used so a redirect_uri like 'com.example.app:/' works for
@@ -173,11 +170,17 @@ valid_native_redirector(x) {
173170
reverse_dns_match(client_uri.host, url.scheme)
174171
}
175172

176-
violation[{"msg": "invalid redirect_uri"}] {
177-
# For 'native' apps, we need to check that the redirect_uri is either
178-
# a custom scheme, or localhost
179-
# TODO: this might not be right, because of app-associated domains on mobile?
173+
valid_redirect_uri(uri) {
180174
input.client_metadata.application_type == "native"
175+
valid_native_redirector(uri)
176+
}
177+
178+
valid_redirect_uri(uri) {
179+
secure_url(uri)
180+
host_matches_client_uri(uri)
181+
}
182+
183+
violation[{"msg": "invalid redirect_uri", "redirect_uri": redirect_uri}] {
181184
some redirect_uri in input.client_metadata.redirect_uris
182-
not valid_native_redirector(redirect_uri)
185+
not valid_redirect_uri(redirect_uri)
183186
}

policies/client_registration_test.rego

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -272,21 +272,30 @@ test_native_redirect_uri {
272272
"contacts": ["[email protected]"],
273273
}
274274

275-
# We don't allow HTTP URLs other than localhost
276-
not allow with input.client_metadata as {
275+
# We still allow matching URLs for native apps
276+
allow with input.client_metadata as {
277277
"application_type": "native",
278278
"client_uri": "https://example.com/",
279279
"redirect_uris": ["https://example.com/"],
280280
"contacts": ["[email protected]"],
281281
}
282282

283+
# But not insecure
283284
not allow with input.client_metadata as {
284285
"application_type": "native",
285286
"client_uri": "https://example.com/",
286287
"redirect_uris": ["http://example.com/"],
287288
"contacts": ["[email protected]"],
288289
}
289290

291+
# And not a mismatch
292+
not allow with input.client_metadata as {
293+
"application_type": "native",
294+
"client_uri": "https://example.com/",
295+
"redirect_uris": ["http://bad.com/"],
296+
"contacts": ["[email protected]"],
297+
}
298+
290299
# We don't allow HTTPS on localhost
291300
not allow with input.client_metadata as {
292301
"application_type": "native",

0 commit comments

Comments
 (0)