Merge branch '1.0.x' into 1.1.x

jgrandja · jgrandja · commit 55595ace6786 · 2023-11-06T15:10:49.000-05:00
Closes gh-1437
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java
@@ -55,6 +55,7 @@
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * An {@link AbstractHttpConfigurer} for OAuth 2.0 Authorization Server support.
@@ -387,6 +388,9 @@ private static void validateAuthorizationServerSettings(AuthorizationServerSetti
 			} catch (Exception ex) {
 				throw new IllegalArgumentException("issuer must be a valid URL", ex);
 			}
+			if (StringUtils.hasText(issuerUri.getPath())) {
+				throw new IllegalArgumentException("Path component for issuer ('" + issuerUri.getPath() + "') is currently not supported");
+			}
 			// rfc8414 https://datatracker.ietf.org/doc/html/rfc8414#section-2
 			if (issuerUri.getQuery() != null || issuerUri.getFragment() != null) {
 				throw new IllegalArgumentException("issuer cannot contain query or fragment component");
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcProviderConfigurationTests.java
@@ -162,6 +162,13 @@ public void loadContextWhenIssuerNotValidUriThenThrowException() {
 		);
 	}
 
+	@Test
+	public void loadContextWhenIssuerWithPathThenThrowException() {
+		assertThatThrownBy(
+				() -> this.spring.register(AuthorizationServerConfigurationWithIssuerPath.class).autowire()
+		);
+	}
+
 	@Test
 	public void loadContextWhenIssuerWithQueryThenThrowException() {
 		assertThatThrownBy(
@@ -183,6 +190,13 @@ public void loadContextWhenIssuerWithQueryAndFragmentThenThrowException() {
 		);
 	}
 
+	@Test
+	public void loadContextWhenIssuerWithEmptyPathThenThrowException() {
+		assertThatThrownBy(
+				() -> this.spring.register(AuthorizationServerConfigurationWithIssuerEmptyPath.class).autowire()
+		);
+	}
+
 	@Test
 	public void loadContextWhenIssuerWithEmptyQueryThenThrowException() {
 		assertThatThrownBy(
@@ -300,6 +314,15 @@ AuthorizationServerSettings authorizationServerSettings() {
 		}
 	}
 
+	@EnableWebSecurity
+	static class AuthorizationServerConfigurationWithIssuerPath extends AuthorizationServerConfiguration {
+
+		@Bean
+		AuthorizationServerSettings authorizationServerSettings() {
+			return AuthorizationServerSettings.builder().issuer(ISSUER_URL + "/issuer1").build();
+		}
+	}
+
 	@EnableWebSecurity
 	static class AuthorizationServerConfigurationWithIssuerQuery extends AuthorizationServerConfiguration {
 
@@ -327,6 +350,15 @@ AuthorizationServerSettings authorizationServerSettings() {
 		}
 	}
 
+	@EnableWebSecurity
+	static class AuthorizationServerConfigurationWithIssuerEmptyPath extends AuthorizationServerConfiguration {
+
+		@Bean
+		AuthorizationServerSettings authorizationServerSettings() {
+			return AuthorizationServerSettings.builder().issuer(ISSUER_URL + "/").build();
+		}
+	}
+
 	@EnableWebSecurity
 	static class AuthorizationServerConfigurationWithIssuerEmptyQuery extends AuthorizationServerConfiguration {
 
