spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Support for private-use URI scheme redirection

Open wpK opened this issue 3 years ago • 0 comments
trafficstars

Expected Behavior

For a redirectUri of com.example.app:/oauth2redirect/example-provider to validate.

Current Behavior

It does not validate. OAuth2AuthorizationCodeRequestAuthenticationProvider.java#L594 requires a redirectUri to have a host which is not required for private-use URI schemes.

Context

Private-Use URI Scheme Redirection allows private-use URI schemes for native apps.

Proposed Solution

Boolean isValidPrivateUseScheme = host == null && port == -1 && userInfo == null && scheme != null && scheme.contains(".")
if ((!isValidPrivateUseScheme && host == null) || host.equals("localhost")) {
    // throw localhost error
}

Given rfc7595 and the currently limited URI schemes that contain a . , we could do something like the following to add more context:

Boolean isPrivateUseScheme = scheme != null && scheme.contains(".")
if (isPrivateUseScheme && (host != null || port != -1 || userInfo != null)) {
    // throw invalid private use url scheme error
} else if (!isPrivateUseScheme && (host == null || host.equals("localhost"))) {
    // throw localhost error
}

wpK avatar Aug 02 '22 23:08 wpK