Open Redirect in /authorize inside sample server

[hotab]

There are at least 2 distinct cases - when we did not configure the user authorization handler, and when we did.

For the first case, if we use the server from samples (with domain set to http://localhost for the client), we can do the following:

$ curl 'localhost:9096/authorize?client_id=000000&response_type=code&scope=read&redirect_uri=http://test/' -v
....
< HTTP/1.1 302 Found
< Location: http://test/?error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request
....

For the second case, for the invalid url, we still get a redirect:

$ curl 'localhost:9096/authorize?client_id=000000&response_type=code&scope=read&redirect_uri=http://test/' -v
...
< HTTP/1.1 302 Found
< Location: http://test/?error=server_error&error_description=The+authorization+server+encountered+an+unexpected+condition+that+prevented+it+from+fulfilling+the+request
....

Also, by default, the domain is suffix-matched, meaning testlocalhost will be considered a valid domain:

$ curl 'localhost:9096/authorize?client_id=000000&response_type=code&scope=read&redirect_uri=http://testlocalhost/' -v
....
< HTTP/1.1 302 Found
< Location: http://testlocalhost/?code=M4-KSICRPGUZFL9EP7A1-A
...

All are instances of Unvalidated Redirects: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md

At least, those might open the app up to phishing attacks.

Also, according to OAuth2, redirect uri should be strictly whitelisted, as attacker can use that to leak codes: https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/

Ref: https://tools.ietf.org/html/rfc6819#section-4.1.5

[R-omk]

same https://github.com/go-oauth2/oauth2/issues/99

[Nomango]

The oauth manager has a default redirect uri validator here. It compares whether the redirect uri host and the domain of client match.

It's just that it's not mentioned in the documentation.