luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

identity/oidc: loopback redirect dynamic port (#13871) 

* Add check for OIDC provider to permit a non-exact redirect URI from OIDC client if it is the IPv4 or IPv6 loopback address.

* Update changelog/13871.txt

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update redirectURI check to match that for the OIDC auth method.

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
This commit is contained in:
Joe 2022-02-07 13:34:33 -05:00 committed by GitHub
parent f85945d3aa
commit 8d169d48d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/13871.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
identity/oidc: Adds support for port-agnostic validation of loopback IP redirect URIs.
```

3
vault/identity_store_oidc_provider.go
View File

@ -1513,7 +1513,8 @@ func (i *IdentityStore) pathOIDCAuthorize(ctx context.Context, req *logical.Requ
if redirectURI == "" { if redirectURI == "" {
return authResponse("", state, ErrAuthInvalidRequest, "redirect_uri parameter is required") return authResponse("", state, ErrAuthInvalidRequest, "redirect_uri parameter is required")
} }
if !strutil.StrListContains(client.RedirectURIs, redirectURI) {
if !validRedirect(redirectURI, client.RedirectURIs) {
return authResponse("", state, ErrAuthInvalidRedirectURI, "redirect_uri is not allowed for the client") return authResponse("", state, ErrAuthInvalidRedirectURI, "redirect_uri is not allowed for the client")
} }

38
vault/identity_store_oidc_provider_util.go Normal file
View File

@ -0,0 +1,38 @@
package vault
import (
"net/url"
"github.com/hashicorp/go-secure-stdlib/strutil"
)
// validRedirect checks whether uri is in allowed using special handling for loopback uris.
// Ref: https://tools.ietf.org/html/rfc8252#section-7.3
func validRedirect(uri string, allowed []string) bool {
inputURI, err := url.Parse(uri)
if err != nil {
return false
}
// if uri isn't a loopback, just string search the allowed list
if !strutil.StrListContains([]string{"localhost", "127.0.0.1", "::1"}, inputURI.Hostname()) {
return strutil.StrListContains(allowed, uri)
}
// otherwise, search for a match in a port-agnostic manner, per the OAuth RFC.
inputURI.Host = inputURI.Hostname()
for _, a := range allowed {
allowedURI, err := url.Parse(a)
if err != nil {
return false
}
allowedURI.Host = allowedURI.Hostname()
if inputURI.String() == allowedURI.String() {
return true
}
}
return false
}