Skip to content

Commit

Permalink
more permissive issuer validation
Browse files Browse the repository at this point in the history
  • Loading branch information
@sdelamo
sdelamo committed Nov 27, 2024
1 parent 55f14dc commit 902160e
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 2 deletions.
14 changes: 12 additions & 2 deletions ...rity-oauth2/src/main/java/io/micronaut/security/oauth2/client/IdTokenClaimsValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,9 @@
public class IdTokenClaimsValidator<T> implements GenericJwtClaimsValidator<T> {
protected static final Logger LOG = LoggerFactory.getLogger(IdTokenClaimsValidator.class);
protected static final String AUTHORIZED_PARTY = "azp";
private static final String HTTP = "http://";
private static final String HTTPS = "https://";
private static final String EMPTY = "";

protected final Collection<OauthClientConfiguration> oauthClientConfigurations;

Expand Down Expand Up @@ -204,7 +207,7 @@ protected boolean validateIssuerAudienceAndAzp(@NonNull Claims claims,
boolean matchesIssuer = matchesIssuer(openIdClientConfiguration, iss).orElse(false);
if (!matchesIssuer) {
if (LOG.isDebugEnabled()) {
LOG.debug("configuration issuer '{}' does not match claim issuer '{}'", openIdClientConfiguration.getIssuer().map(URL::toString).orElse(""), iss);
LOG.debug("configuration issuer '{}' does not match claim issuer '{}'", openIdClientConfiguration.getIssuer().map(URL::toString).orElse(EMPTY), iss);
}
return false;
}
Expand Down Expand Up @@ -235,9 +238,16 @@ protected boolean validateIssuerAudienceAndAzp(@NonNull Claims claims,
@NonNull
protected Optional<Boolean> matchesIssuer(@NonNull OpenIdClientConfiguration openIdClientConfiguration,
@NonNull String iss) {
String issWithoutProtocol = removeProtocol(iss);
return openIdClientConfiguration.getIssuer()
.map(URL::toString)
.map(issuer -> issuer.equalsIgnoreCase(iss));
.map(IdTokenClaimsValidator::removeProtocol)
.map(issuer -> issuer.endsWith(issWithoutProtocol));
}

private static String removeProtocol(String iss) {
return iss.replace(HTTP, EMPTY)
.replace(HTTPS, EMPTY);
}

/**
Expand Down
26 changes: 26 additions & 0 deletions ...th2/src/test/groovy/io/micronaut/security/oauth2/client/IdTokenClaimsValidatorSpec.groovy
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,37 @@
package io.micronaut.security.oauth2.client

import io.micronaut.security.oauth2.configuration.OauthClientConfiguration
import io.micronaut.security.oauth2.configuration.OauthClientConfigurationProperties
import io.micronaut.security.testutils.ApplicationContextSpecification
import spock.lang.Unroll

class IdTokenClaimsValidatorSpec extends ApplicationContextSpecification {

void "by default no bean of type IdTokenClaimsValidator exists"() {
expect:
!applicationContext.containsBean(IdTokenClaimsValidator)
}

@Unroll
void "issuer IdTokenClaimsValidator"(String configIss, String iss) {
given:
def oauthClientConfiguration = new OauthClientConfigurationProperties("oci");
def openId = new OauthClientConfigurationProperties.OpenIdClientConfigurationProperties("oci");
openId.setIssuer(new URL(configIss))
oauthClientConfiguration.setOpenid(openId)
List<OauthClientConfiguration> l = List.of(oauthClientConfiguration)
IdTokenClaimsValidator claimsValidator = new IdTokenClaimsValidator(List.of(l))

when:
Optional<Boolean> validation = claimsValidator.matchesIssuer(openId, iss)

then:
validation.isPresent()
validation.get() == true

where:
configIss | iss
"https://idcs-227ebfb7094445cc5a3fbc0faa1fe87b.identity.oraclecloud.com" | "https://identity.oraclecloud.com"
"https://identity.oraclecloud.com" | "https://identity.oraclecloud.com"
}
}

0 comments on commit 902160e

Please sign in to comment.