matrix-org/matrix-authentication-service

It wasn't clear to me that I couldn't set a localhost URL for the registration request URIs because it's forbidden in

matrix-authentication-service/crates/handlers/src/oauth2/registration.rs

Lines 191 to 243 in 07c9989

    
           pub(crate) async fn post( 
        
               mut rng: BoxRng, 
        
               clock: BoxClock, 
        
               mut repo: BoxRepository, 
        
               mut policy: Policy, 
        
               State(encrypter): State<Encrypter>, 
        
               body: Result<Json<ClientMetadata>, axum::extract::rejection::JsonRejection>, 
        
           ) -> Result<impl IntoResponse, RouteError> { 
        
               // Propagate any JSON extraction error 
        
               let Json(body) = body?; 
        
               info!(?body, "Client registration"); 
        
               // Validate the body 
        
               let metadata = body.validate()?; 
        
               // Some extra validation that is hard to do in OPA and not done by the 
        
               // `validate` method either 
        
               if let Some(client_uri) = &metadata.client_uri { 
        
                   if localised_url_has_public_suffix(client_uri) { 
        
                       return Err(RouteError::UrlIsPublicSuffix("client_uri")); 
        
                   } 
        
               } 
        
               if let Some(logo_uri) = &metadata.logo_uri { 
        
                   if localised_url_has_public_suffix(logo_uri) { 
        
                       return Err(RouteError::UrlIsPublicSuffix("logo_uri")); 
        
                   } 
        
               } 
        
               if let Some(policy_uri) = &metadata.policy_uri { 
        
                   if localised_url_has_public_suffix(policy_uri) { 
        
                       return Err(RouteError::UrlIsPublicSuffix("policy_uri")); 
        
                   } 
        
               } 
        
               if let Some(tos_uri) = &metadata.tos_uri { 
        
                   if localised_url_has_public_suffix(tos_uri) { 
        
                       return Err(RouteError::UrlIsPublicSuffix("tos_uri")); 
        
                   } 
        
               } 
        
               if let Some(initiate_login_uri) = &metadata.initiate_login_uri { 
        
                   if host_is_public_suffix(initiate_login_uri) { 
        
                       return Err(RouteError::UrlIsPublicSuffix("initiate_login_uri")); 
        
                   } 
        
               } 
        
               for redirect_uri in metadata.redirect_uris() { 
        
                   if host_is_public_suffix(redirect_uri) { 
        
                       return Err(RouteError::UrlIsPublicSuffix("redirect_uri")); 
        
                   } 
        
               }

The error is super vague though, and could do with some explanation (or at least a log line).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

invalid_redirect_uri error raised by POST /oauth2/registration doesn't explain which policy was violated #3036

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	pub(crate) async fn post(
	mut rng: BoxRng,
	clock: BoxClock,
	mut repo: BoxRepository,
	mut policy: Policy,
	State(encrypter): State<Encrypter>,
	body: Result<Json<ClientMetadata>, axum::extract::rejection::JsonRejection>,
	) -> Result<impl IntoResponse, RouteError> {
	// Propagate any JSON extraction error
	let Json(body) = body?;

	info!(?body, "Client registration");

	// Validate the body
	let metadata = body.validate()?;

	// Some extra validation that is hard to do in OPA and not done by the
	// `validate` method either
	if let Some(client_uri) = &metadata.client_uri {
	if localised_url_has_public_suffix(client_uri) {
	return Err(RouteError::UrlIsPublicSuffix("client_uri"));
	}
	}

	if let Some(logo_uri) = &metadata.logo_uri {
	if localised_url_has_public_suffix(logo_uri) {
	return Err(RouteError::UrlIsPublicSuffix("logo_uri"));
	}
	}

	if let Some(policy_uri) = &metadata.policy_uri {
	if localised_url_has_public_suffix(policy_uri) {
	return Err(RouteError::UrlIsPublicSuffix("policy_uri"));
	}
	}

	if let Some(tos_uri) = &metadata.tos_uri {
	if localised_url_has_public_suffix(tos_uri) {
	return Err(RouteError::UrlIsPublicSuffix("tos_uri"));
	}
	}

	if let Some(initiate_login_uri) = &metadata.initiate_login_uri {
	if host_is_public_suffix(initiate_login_uri) {
	return Err(RouteError::UrlIsPublicSuffix("initiate_login_uri"));
	}
	}

	for redirect_uri in metadata.redirect_uris() {
	if host_is_public_suffix(redirect_uri) {
	return Err(RouteError::UrlIsPublicSuffix("redirect_uri"));
	}
	}

invalid_redirect_uri error raised by POST /oauth2/registration doesn't explain which policy was violated #3036

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions