I am replacing an existing application that currently uses the now deprecated spring-security-oauth2 with the new spring-authorization-server
At OAuth2AuthorizationCodeRequestAuthenticationValidator, there is logic implement to perform exact-matching of the redirect uri as per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-22#section-4.1.3 :
private static void validateRedirectUri(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
...
if (!isLoopbackAddress(requestedRedirect.getHost())) {
// As per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-22#section-4.1.3
// When comparing client redirect URIs against pre-registered URIs,
// authorization servers MUST utilize exact string matching.
if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REDIRECT_URI,
authorizationCodeRequestAuthentication, registeredClient);
}
}
Problem is, the current clients always send a redirect URI that contain query parameters, where the query parameters are variable.
So I need to override the redirect uri validation to perform "starts with matching" instead of "exact matching", but I can't figure out how to do it. Any suggestions on how to go about it ?
Yes, I understand this is against the guidance. These are all internal-only applications.
After re-reading the spec, these supposed to be query parameters should be stored in the state parameter instead.
https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2.2
The authorization server SHOULD require the client to provide the complete redirection URI (the client MAY use the "state" request parameter to achieve per-request customization).