Skip to content

Fix verification_uri in device authorization response when context path exists #1729

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

Fix verification_uri in device authorization response when context path exists #1729

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b1e0b65
#1714: Invalid verification_uri in device authorization response when…
Sep 25, 2024
21c58a4
Strip of the query part when building the verification URI
Sep 25, 2024
ff3bc96
Move building of verification URI to internal method using RedirectUr…
Oct 2, 2024
893b6d2
Add test for device authentication request with context path set
Oct 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion ...ork/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UrlPathHelper;

/**
* A {@code Filter} for the OAuth 2.0 Device Authorization endpoint, which handles the
Expand Down Expand Up @@ -219,10 +220,16 @@ private void sendDeviceAuthorizationResponse(HttpServletRequest request, HttpSer
OAuth2DeviceCode deviceCode = deviceAuthorizationRequestAuthentication.getDeviceCode();
OAuth2UserCode userCode = deviceAuthorizationRequestAuthentication.getUserCode();

String relativeVerificationPath = this.verificationUri.startsWith("/")
? this.verificationUri.substring(1)
: this.verificationUri;

// Generate the fully-qualified verification URI
UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder
.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
.replacePath(this.verificationUri);
.replacePath(UrlPathHelper.defaultInstance.getContextPath(request))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using UrlPathHelper, please create an internal method resolveVerificationUri(), that looks like:

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java

Line 288 in 00f3874

private String resolveConsentUri(HttpServletRequest request) {

then it can be used UriComponentsBuilder.fromUriString(resolveVerificationUri(request)). This will provide consistency between the 3x implementations (OAuth2AuthorizationEndpointFilter is implemented the same).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I created - as requested - an internal method and added a test.

I used doFilterWhenDeviceAuthorizationRequestThenDeviceAuthorizationResponse as a base for my test. I am not sure whether the method name fits the project conventions for test method names and I am unsure about keeping all assertions of doFilterWhenDeviceAuthorizationRequestThenDeviceAuthorizationResponse or just using a reduced set of assertions.

.replaceQuery(null)
.pathSegment(relativeVerificationPath);
String verificationUri = uriComponentsBuilder.build().toUriString();
// @formatter:off
String verificationUriComplete = uriComponentsBuilder
Expand Down