Skip to content
This repository has been archived by the owner on Sep 10, 2024. It is now read-only.

invalid_redirect_uri error raised by POST /oauth2/registration doesn't explain which policy was violated #3036

Open
Half-Shot opened this issue Jul 31, 2024 · 3 comments
Open

invalid_redirect_uri error raised by POST /oauth2/registration doesn't explain which policy was violated #3036

Half-Shot opened this issue Jul 31, 2024 · 3 comments

Comments

@Half-Shot
Copy link
Contributor

It wasn't clear to me that I couldn't set a localhost URL for the registration request URIs because it's forbidden in

matrix-authentication-service/crates/handlers/src/oauth2/registration.rs

Lines 191 to 243 in 07c9989

pub(crate) async fn post(
mut rng: BoxRng,
clock: BoxClock,
mut repo: BoxRepository,
mut policy: Policy,
State(encrypter): State<Encrypter>,
body: Result<Json<ClientMetadata>, axum::extract::rejection::JsonRejection>,
) -> Result<impl IntoResponse, RouteError> {
// Propagate any JSON extraction error
let Json(body) = body?;
info!(?body, "Client registration");
// Validate the body
let metadata = body.validate()?;
// Some extra validation that is hard to do in OPA and not done by the
// `validate` method either
if let Some(client_uri) = &metadata.client_uri {
if localised_url_has_public_suffix(client_uri) {
return Err(RouteError::UrlIsPublicSuffix("client_uri"));
}
}
if let Some(logo_uri) = &metadata.logo_uri {
if localised_url_has_public_suffix(logo_uri) {
return Err(RouteError::UrlIsPublicSuffix("logo_uri"));
}
}
if let Some(policy_uri) = &metadata.policy_uri {
if localised_url_has_public_suffix(policy_uri) {
return Err(RouteError::UrlIsPublicSuffix("policy_uri"));
}
}
if let Some(tos_uri) = &metadata.tos_uri {
if localised_url_has_public_suffix(tos_uri) {
return Err(RouteError::UrlIsPublicSuffix("tos_uri"));
}
}
if let Some(initiate_login_uri) = &metadata.initiate_login_uri {
if host_is_public_suffix(initiate_login_uri) {
return Err(RouteError::UrlIsPublicSuffix("initiate_login_uri"));
}
}
for redirect_uri in metadata.redirect_uris() {
if host_is_public_suffix(redirect_uri) {
return Err(RouteError::UrlIsPublicSuffix("redirect_uri"));
}
}

The error is super vague though, and could do with some explanation (or at least a log line).
@Half-Shot
Copy link
Contributor Author

I'm not actually sure that was the policy that was violated tbh, but still, something is up 🤔

@dklimpel
Copy link
Contributor

I have the same problem by /authorise. I get always invalid redirect uri and do not know what is wrong.

Even if you have not entered the redircet url you get misleading error messages:

  • Browser: "Redirect URI can’t have a fragment"
  • Application Log: invalid parameters

@matrixbot matrixbot mentioned this issue Sep 10, 2024
Open
@matrixbot
Copy link
Member

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: element-hq/matrix-authentication-service#3036

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Half-Shot @dklimpel @matrixbot