grails-spring-security-core icon indicating copy to clipboard operation
grails-spring-security-core copied to clipboard

Published 20 hours ago verified publisher icon grails

Interal URLs cannot be used as oauth provider

Open ivo-k opened this issue 1 year ago • 1 comments

The default instance of UrlValidator prevents us to use intranet domain names, which are not compliant to url validator. For example dev.somewhere.local is invalid because of local is not valid TLD.

class SpringSecurityOAuth2Controller {
...
    def authenticate() {
        String providerName = params.provider
        if (StringUtils.isBlank(providerName)) {
            throw new OAuth2Exception("No provider defined")
        }
        log.debug "authenticate ${providerName}"
        String url = springSecurityOauth2BaseService.getAuthorizationUrl(providerName)
        log.debug "redirect url from s2oauthservice=${url}"

        //You cannot use internal/local urls because of this line
        if (!UrlValidator.instance.isValid(url)) {
            flash.message = "Authorization url for provider '${providerName}' is invalid."
            redirect(controller: 'login', action: 'index')
        }
        redirect(url: url)
    }
...

It is possible/reasonable to omit the validation or make it configurable e.g. by injecting the validator?

ivo-k avatar Jan 26 '24 09:01 ivo-k