fix: Evaluate the redirect_uri at each step of the auth flow

fixes AM-722 (cherry picked from commit 315f8ed) # Conflicts: # gravitee-am-gateway/gravitee-am-gateway-handler/gravitee-am-gateway-handler-core/src/main/java/io/gravitee/am/gateway/handler/root/RootProvider.java # gravitee-am-gateway/gravitee-am-gateway-handler/gravitee-am-gateway-handler-oidc/src/test/java/io/gravitee/am/gateway/handler/oauth2/service/par/PushedAuthorizationRequestServiceTest.java
gravitee-io · Dec 18, 2023 · ac6397d · ac6397d
1 parent eb7b669
commit ac6397d
Show file tree

Hide file tree

Showing 11 changed files with 235 additions and 64 deletions.
diff --git a/.../exception/RedirectMismatchException.java → ...ion/oauth2/RedirectMismatchException.java b/.../exception/RedirectMismatchException.java → ...ion/oauth2/RedirectMismatchException.java
@@ -13,9 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.gravitee.am.gateway.handler.oauth2.exception;
-
-import io.gravitee.am.common.exception.oauth2.OAuth2Exception;
+package io.gravitee.am.common.exception.oauth2;
 
 /**
  * @author Titouan COMPIEGNE (titouan.compiegne at graviteesource.com)

diff --git a/...-gateway-handler-core/src/main/java/io/gravitee/am/gateway/handler/root/RootProvider.java b/...-gateway-handler-core/src/main/java/io/gravitee/am/gateway/handler/root/RootProvider.java
@@ -73,6 +73,7 @@
 import io.gravitee.am.gateway.handler.root.resources.handler.LocaleHandler;
 import io.gravitee.am.gateway.handler.root.resources.handler.botdetection.BotDetectionHandler;
 import io.gravitee.am.gateway.handler.root.resources.handler.client.ClientRequestParseHandler;
+import io.gravitee.am.gateway.handler.root.resources.handler.common.RedirectUriValidationHandler;
 import io.gravitee.am.gateway.handler.root.resources.handler.consent.DataConsentHandler;
 import io.gravitee.am.gateway.handler.root.resources.handler.error.ErrorHandler;
 import io.gravitee.am.gateway.handler.root.resources.handler.geoip.GeoIpHandler;
@@ -351,7 +352,11 @@ protected void doStart() throws Exception {
         Handler<RoutingContext> userActivityHandler = new UserActivityHandler(userActivityService);
         Handler<RoutingContext> localeHandler = new LocaleHandler(messageResolver);
         Handler<RoutingContext> loginPostWebAuthnHandler = new LoginPostWebAuthnHandler(webAuthnCookieService);
+<<<<<<< HEAD
         Handler<RoutingContext> userRememberMeHandler = new UserRememberMeRequestHandler(jwtService, domain, rememberMeCookieName);
+=======
+        Handler<RoutingContext> redirectUriValidationHandler = new RedirectUriValidationHandler(domain);
+>>>>>>> 315f8ed362 (fix: Evaluate the redirect_uri at each step of the auth flow)
 
         // Root policy chain handler
         rootRouter.route()
@@ -367,13 +372,15 @@ protected void doStart() throws Exception {
         // Identifier First Login route
         rootRouter.get(PATH_IDENTIFIER_FIRST_LOGIN)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(new LoginSocialAuthenticationHandler(identityProviderManager, jwtService, certificateManager))
                 .handler(policyChainHandler.create(ExtensionPoint.PRE_LOGIN_IDENTIFIER))
                 .handler(localeHandler)
                 .handler(new IdentifierFirstLoginEndpoint(thymeleafTemplateEngine, domain, botDetectionManager));
 
         rootRouter.post(PATH_IDENTIFIER_FIRST_LOGIN)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(botDetectionHandler)
                 .handler(new LoginSocialAuthenticationHandler(identityProviderManager, jwtService, certificateManager))
                 .handler(userRememberMeHandler)
@@ -385,6 +392,7 @@ protected void doStart() throws Exception {
         rootRouter.get(PATH_LOGIN)
                 .handler(clientRequestParseHandler)
                 .handler(new LoginSocialAuthenticationHandler(identityProviderManager, jwtService, certificateManager))
+                .handler(redirectUriValidationHandler)
                 .handler(policyChainHandler.create(ExtensionPoint.PRE_LOGIN))
                 .handler(new LoginHideFormHandler(domain))
                 .handler(new LoginSelectionRuleHandler(false))
@@ -393,6 +401,7 @@ protected void doStart() throws Exception {
 
         rootRouter.post(PATH_LOGIN)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(botDetectionHandler)
                 .handler(loginAttemptHandler)
                 .handler(new LoginFormHandler(userAuthProvider))
@@ -454,10 +463,12 @@ protected void doStart() throws Exception {
         Handler<RoutingContext> mfaChallengeUserHandler = new MFAChallengeUserHandler(userService);
         rootRouter.route(PATH_MFA_ENROLL)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(localeHandler)
                 .handler(new MFAEnrollEndpoint(factorManager, thymeleafTemplateEngine, userService, domain, applicationContext));
         rootRouter.route(PATH_MFA_CHALLENGE)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(rememberDeviceSettingsHandler)
                 .handler(localeHandler)
                 .handler(mfaChallengeUserHandler)
@@ -466,11 +477,13 @@ protected void doStart() throws Exception {
                 .failureHandler(new MFAChallengeFailureHandler(authenticationFlowContextService));
         rootRouter.route(PATH_MFA_CHALLENGE_ALTERNATIVES)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(localeHandler)
                 .handler(mfaChallengeUserHandler)
                 .handler(new MFAChallengeAlternativesEndpoint(thymeleafTemplateEngine, factorManager, domain));
         rootRouter.route(PATH_MFA_RECOVERY_CODE)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(localeHandler)
                 .handler(new MFARecoveryCodeEndpoint(thymeleafTemplateEngine, domain, userService, factorManager, applicationContext));
 
@@ -479,11 +492,13 @@ protected void doStart() throws Exception {
         Handler<RoutingContext> webAuthnRememberDeviceHandler = new WebAuthnRememberDeviceHandler(webAuthnCookieService, domain);
         rootRouter.get(PATH_WEBAUTHN_REGISTER)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(webAuthnAccessHandler)
                 .handler(localeHandler)
                 .handler(new WebAuthnRegisterEndpoint(thymeleafTemplateEngine, domain, factorManager));
         rootRouter.post(PATH_WEBAUTHN_REGISTER)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(webAuthnAccessHandler)
                 .handler(new WebAuthnRegisterHandler(factorService, factorManager, domain, webAuthn, credentialService))
                 .handler(webAuthnRememberDeviceHandler)
@@ -497,13 +512,15 @@ protected void doStart() throws Exception {
                 .handler(new WebAuthnRegisterSuccessEndpoint(thymeleafTemplateEngine, credentialService, domain));
         rootRouter.get(PATH_WEBAUTHN_LOGIN)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(webAuthnAccessHandler)
                 .handler(new LoginSocialAuthenticationHandler(identityProviderManager, jwtService, certificateManager))
                 .handler(localeHandler)
                 .handler(new WebAuthnEnforcePasswordHandler(domain, webAuthnCookieService))
                 .handler(new WebAuthnLoginEndpoint(thymeleafTemplateEngine, domain, deviceIdentifierManager, userActivityService));
         rootRouter.post(PATH_WEBAUTHN_LOGIN)
                 .handler(clientRequestParseHandler)
+                .handler(redirectUriValidationHandler)
                 .handler(webAuthnAccessHandler)
                 .handler(new WebAuthnLoginHandler(factorService, factorManager, domain, webAuthn, credentialService, userAuthenticationManager))
                 .handler(userRememberMeHandler)

diff --git a/...avitee/am/gateway/handler/root/resources/handler/common/RedirectUriValidationHandler.java b/...avitee/am/gateway/handler/root/resources/handler/common/RedirectUriValidationHandler.java
@@ -0,0 +1,75 @@
+/**
+ * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.gravitee.am.gateway.handler.root.resources.handler.common;
+
+import io.gravitee.am.common.exception.oauth2.RedirectMismatchException;
+import io.gravitee.am.common.utils.ConstantKeys;
+import io.gravitee.am.gateway.handler.root.service.RedirectUriValidator;
+import io.gravitee.am.model.Domain;
+import io.gravitee.am.model.oidc.Client;
+import io.vertx.core.Handler;
+import io.vertx.reactivex.ext.web.RoutingContext;
+
+import java.util.List;
+
+import static io.gravitee.am.gateway.handler.root.resources.endpoint.ParamUtils.getOAuthParameter;
+import static io.gravitee.am.gateway.handler.root.resources.endpoint.ParamUtils.redirectMatches;
+
+/**
+ * The authorization server validates the request to ensure that all parameters are valid.
+ * If the request is valid, the authorization server authenticates the resource owner and obtains
+ * an authorization decision (by asking the resource owner or by establishing approval via other means).
+ *
+ * See <a href="https://tools.ietf.org/html/rfc6749#section-4.1.1">4.1.1. Authorization Request</a>
+ *
+ * This specific handler is checking the validity of the redirect_uri
+ *
+ * @author Eric LELEU (eric.leleu at graviteesource.com)
+ * @author GraviteeSource Team
+ */
+public class RedirectUriValidationHandler implements Handler<RoutingContext> {
+
+    private final Domain domain;
+    private final RedirectUriValidator redirectUriValidator;
+
+    public RedirectUriValidationHandler(Domain domain) {
+        this.domain = domain;
+        this.redirectUriValidator = new RedirectUriValidator();
+    }
+
+    @Override
+    public void handle(RoutingContext context) {
+        final Client client = context.get(ConstantKeys.CLIENT_CONTEXT_KEY);
+
+        // proceed redirect_uri parameter
+        parseRedirectUriParameter(context, client);
+
+        context.next();
+    }
+
+    private void parseRedirectUriParameter(RoutingContext context, Client client) {
+        String requestedRedirectUri = getOAuthParameter(context, io.gravitee.am.common.oauth2.Parameters.REDIRECT_URI);
+        redirectUriValidator.validate(client, requestedRedirectUri, this::checkMatchingRedirectUri);
+    }
+
+    private void checkMatchingRedirectUri(String requestedRedirect, List<String> registeredClientRedirectUris) {
+        if (registeredClientRedirectUris
+                .stream()
+                .noneMatch(registeredClientUri -> redirectMatches(requestedRedirect, registeredClientUri, this.domain.isRedirectUriStrictMatching() || this.domain.usePlainFapiProfile()))) {
+            throw new RedirectMismatchException(String.format("The redirect_uri [ %s ] MUST match the registered callback URL for this application", requestedRedirect));
+        }
+    }
+}
diff --git a/...-core/src/main/java/io/gravitee/am/gateway/handler/root/service/RedirectUriValidator.java b/...-core/src/main/java/io/gravitee/am/gateway/handler/root/service/RedirectUriValidator.java
@@ -0,0 +1,52 @@
+/**
+ * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.gravitee.am.gateway.handler.root.service;
+
+import io.gravitee.am.common.exception.oauth2.InvalidRequestException;
+import io.gravitee.am.model.oidc.Client;
+
+import java.util.List;
+import java.util.function.BiConsumer;
+
+/**
+ * @author Eric LELEU (eric.leleu at graviteesource.com)
+ * @author GraviteeSource Team
+ */
+public class RedirectUriValidator {
+    public void validate(Client client, String requestedRedirectUri, BiConsumer<String, List<String>> checkMethod) {
+        final List<String> registeredClientRedirectUris = client.getRedirectUris();
+        final boolean hasRegisteredClientRedirectUris = registeredClientRedirectUris != null && !registeredClientRedirectUris.isEmpty();
+        final boolean hasRequestedRedirectUri = requestedRedirectUri != null && !requestedRedirectUri.isEmpty();
+
+        // if no requested redirect_uri and no registered client redirect_uris
+        // throw invalid request exception
+        if (!hasRegisteredClientRedirectUris && !hasRequestedRedirectUri) {
+            throw new InvalidRequestException("A redirect_uri must be supplied");
+        }
+
+        // if no requested redirect_uri and more than one registered client redirect_uris
+        // throw invalid request exception
+        if (!hasRequestedRedirectUri && (registeredClientRedirectUris != null && registeredClientRedirectUris.size() > 1)) {
+            throw new InvalidRequestException("Unable to find suitable redirect_uri, a redirect_uri must be supplied");
+        }
+
+        // if requested redirect_uri doesn't match registered client redirect_uris
+        // throw redirect mismatch exception
+        if (hasRequestedRedirectUri && hasRegisteredClientRedirectUris) {
+            checkMethod.accept(requestedRedirectUri, registeredClientRedirectUris);
+        }
+    }
+}
diff --git a/...eway-handler-oidc/src/main/java/io/gravitee/am/gateway/handler/oauth2/OAuth2Provider.java b/...eway-handler-oidc/src/main/java/io/gravitee/am/gateway/handler/oauth2/OAuth2Provider.java
@@ -54,6 +54,7 @@
 import io.gravitee.am.gateway.handler.oidc.service.jwk.JWKService;
 import io.gravitee.am.gateway.handler.oidc.service.request.RequestObjectService;
 import io.gravitee.am.gateway.handler.root.resources.handler.LocaleHandler;
+import io.gravitee.am.gateway.handler.root.resources.handler.common.RedirectUriValidationHandler;
 import io.gravitee.am.model.Domain;
 import io.gravitee.am.service.AuthenticationFlowContextService;
 import io.gravitee.am.service.DeviceService;
@@ -237,6 +238,7 @@ private void initRouter() {
         xssHandler(oauth2Router);
 
         AuthenticationFlowContextHandler authenticationFlowContextHandler = new AuthenticationFlowContextHandler(authenticationFlowContextService, environment);
+        RedirectUriValidationHandler redirectUriValidationHandler = new RedirectUriValidationHandler(domain);
         Handler<RoutingContext> localeHandler = new LocaleHandler(messageResolver);
 
         // Authorization endpoint
@@ -252,6 +254,7 @@ private void initRouter() {
                 .handler(new AuthorizationRequestParseRequestObjectHandler(requestObjectService, domain, parService, authenticationFlowContextService))
                 .handler(new AuthorizationRequestParseIdTokenHintHandler(idTokenService))
                 .handler(new AuthorizationRequestParseParametersHandler(domain))
+                .handler(redirectUriValidationHandler)
                 .handler(new RiskAssessmentHandler(deviceService, userActivityService, vertx.eventBus(), objectMapper))
                 .handler(authenticationFlowHandler.create())
                 .handler(new AuthorizationRequestResolveHandler(scopeManager))
@@ -268,6 +271,7 @@ private void initRouter() {
                 .handler(authenticationFlowContextHandler)
                 .handler(new AuthorizationRequestParseRequestObjectHandler(requestObjectService, domain, parService, authenticationFlowContextService))
                 .handler(new AuthorizationRequestResolveHandler(scopeManager))
+                .handler(redirectUriValidationHandler)
                 .handler(userConsentPrepareContextHandler)
                 .handler(policyChainHandler.create(ExtensionPoint.PRE_CONSENT))
                 .handler(localeHandler)
@@ -278,6 +282,7 @@ private void initRouter() {
                 .handler(authenticationFlowContextHandler)
                 .handler(new AuthorizationRequestParseRequestObjectHandler(requestObjectService, domain, parService, authenticationFlowContextService))
                 .handler(new AuthorizationRequestResolveHandler(scopeManager))
+                .handler(redirectUriValidationHandler)
                 .handler(userConsentPrepareContextHandler)
                 .handler(new UserConsentProcessHandler(userConsentService, domain))
                 .handler(policyChainHandler.create(ExtensionPoint.POST_CONSENT))

diff --git a/...ay/handler/oauth2/resources/handler/authorization/AuthorizationRequestFailureHandler.java b/...ay/handler/oauth2/resources/handler/authorization/AuthorizationRequestFailureHandler.java
@@ -17,13 +17,13 @@
 
 import io.gravitee.am.common.exception.oauth2.InvalidRequestObjectException;
 import io.gravitee.am.common.exception.oauth2.OAuth2Exception;
+import io.gravitee.am.common.exception.oauth2.RedirectMismatchException;
 import io.gravitee.am.common.oauth2.Parameters;
 import io.gravitee.am.common.web.UriBuilder;
 import io.gravitee.am.gateway.handler.common.jwt.JWTService;
 import io.gravitee.am.common.utils.ConstantKeys;
 import io.gravitee.am.gateway.handler.common.vertx.utils.UriBuilderRequest;
 import io.gravitee.am.gateway.handler.oauth2.exception.JWTOAuth2Exception;
-import io.gravitee.am.gateway.handler.oauth2.exception.RedirectMismatchException;
 import io.gravitee.am.gateway.handler.oauth2.resources.request.AuthorizationRequestFactory;
 import io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest;
 import io.gravitee.am.gateway.handler.oauth2.service.response.OAuth2ErrorResponse;