root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Polish postLogoutRedirectUri encoding 

Issue gh-9511
This commit is contained in:
Josh Cummings 2021-05-26 12:19:54 -06:00
parent b671a96073
commit 65ecaa0c28
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandler.java
View File

@ -67,7 +67,7 @@ public final class OidcClientInitiatedLogoutSuccessHandler extends SimpleUrlLogo
URI endSessionEndpoint = this.endSessionEndpoint(clientRegistration); URI endSessionEndpoint = this.endSessionEndpoint(clientRegistration);
if (endSessionEndpoint != null) { if (endSessionEndpoint != null) {
String idToken = idToken(authentication); String idToken = idToken(authentication);
URI postLogoutRedirectUri = postLogoutRedirectUri(request); String postLogoutRedirectUri = postLogoutRedirectUri(request);
targetUrl = endpointUri(endSessionEndpoint, idToken, postLogoutRedirectUri); targetUrl = endpointUri(endSessionEndpoint, idToken, postLogoutRedirectUri);
} }
} }
@ -89,7 +89,7 @@ public final class OidcClientInitiatedLogoutSuccessHandler extends SimpleUrlLogo
return ((OidcUser) authentication.getPrincipal()).getIdToken().getTokenValue(); return ((OidcUser) authentication.getPrincipal()).getIdToken().getTokenValue();
} }
private URI postLogoutRedirectUri(HttpServletRequest request) { private String postLogoutRedirectUri(HttpServletRequest request) {
if (this.postLogoutRedirectUri == null) { if (this.postLogoutRedirectUri == null) {
return null; return null;
} }
@ -100,13 +100,13 @@ public final class OidcClientInitiatedLogoutSuccessHandler extends SimpleUrlLogo
.replaceQuery(null) .replaceQuery(null)
.fragment(null) .fragment(null)
.build(); .build();
return URI.create (UriComponentsBuilder.fromUriString(this.postLogoutRedirectUri) return UriComponentsBuilder.fromUriString(this.postLogoutRedirectUri)
.buildAndExpand(Collections.singletonMap("baseUrl", uriComponents.toUriString())) .buildAndExpand(Collections.singletonMap("baseUrl", uriComponents.toUriString()))
.toUriString()); .toUriString();
// @formatter:on // @formatter:on
} }
private String endpointUri(URI endSessionEndpoint, String idToken, URI postLogoutRedirectUri) { private String endpointUri(URI endSessionEndpoint, String idToken, String postLogoutRedirectUri) {
UriComponentsBuilder builder = UriComponentsBuilder.fromUri(endSessionEndpoint); UriComponentsBuilder builder = UriComponentsBuilder.fromUri(endSessionEndpoint);
builder.queryParam("id_token_hint", idToken); builder.queryParam("id_token_hint", idToken);
if (postLogoutRedirectUri != null) { if (postLogoutRedirectUri != null) {

8
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/web/logout/OidcClientInitiatedLogoutSuccessHandlerTests.java
View File

@ -138,15 +138,17 @@ public class OidcClientInitiatedLogoutSuccessHandlerTests {
"https://endpoint?" + "id_token_hint=id-token&" + "post_logout_redirect_uri=https://rp.example.org"); "https://endpoint?" + "id_token_hint=id-token&" + "post_logout_redirect_uri=https://rp.example.org");
} }
// gh-9511
@Test @Test
public void logoutWhenUsingPostLogoutRedirectUriWithQueryParametersThenBuildItForRedirectWithEncodedQueryParameters() throws IOException, ServletException { public void logoutWhenUsingPostLogoutRedirectUriWithQueryParametersThenBuildsItForRedirect()
throws IOException, ServletException {
OAuth2AuthenticationToken token = new OAuth2AuthenticationToken(TestOidcUsers.create(), OAuth2AuthenticationToken token = new OAuth2AuthenticationToken(TestOidcUsers.create(),
AuthorityUtils.NO_AUTHORITIES, this.registration.getRegistrationId()); AuthorityUtils.NO_AUTHORITIES, this.registration.getRegistrationId());
this.handler.setPostLogoutRedirectUri("https://rp.example.org/context?forwardUrl=secured%3Fparam%3Dtrue"); this.handler.setPostLogoutRedirectUri("https://rp.example.org/context?forwardUrl=secured%3Fparam%3Dtrue");
this.request.setUserPrincipal(token); this.request.setUserPrincipal(token);
this.handler.onLogoutSuccess(this.request, this.response, token); this.handler.onLogoutSuccess(this.request, this.response, token);
assertThat(this.response.getRedirectedUrl()).isEqualTo( assertThat(this.response.getRedirectedUrl()).isEqualTo("https://endpoint?id_token_hint=id-token&"
"https://endpoint?" + "id_token_hint=id-token&" + "post_logout_redirect_uri=https://rp.example.org/context?forwardUrl%3Dsecured%253Fparam%253Dtrue"); + "post_logout_redirect_uri=https://rp.example.org/context?forwardUrl%3Dsecured%253Fparam%253Dtrue");
} }
@Test @Test