Spring-security-oauth: Ensure exact matching on path in DefaultRedirectResolver

Created on 9 Apr 2018  路  5Comments  路  Source: spring-projects/spring-security-oauth

DefaultRedirectResolver should perform exact matching on the path component of the redirect_uri.

bug

Most helpful comment

Is there a way to implement this that would allow for wildcards in the redirect url? My application has information in the URLs that is used for tenancy for each customer and I won't be able to use exact redirect matching

All 5 comments

Hello @jgrandja
What was the reason that paths are now checked exactly? All our configurations are now broken... :-/

@ractive Exact matching on redirect-uri was applied to prevent an Open Redirector attack.

Also see Authorization Code Redirection URI Manipulation

Hello @jgrandja

I understand the intention behind this modification, however I had had a developer oauth server configured with a dummy authenticator that all of the developers could call and this service just redirected back to the caller url. Is it possible to somehow support this requirement?

Thanks @jgrandja
My request was different than #1566. I wanted to support the previous behavior for development even if I know that logic is vulnerable. But I fund the AuthorizationServerEndpointsConfigurer when I could register my CustomRedirectResolver. Thanks

Is there a way to implement this that would allow for wildcards in the redirect url? My application has information in the URLs that is used for tenancy for each customer and I won't be able to use exact redirect matching

Was this page helpful?
0 / 5 - 0 ratings