Unable to use port wildcard in redirect_uri (RFC 8252)

[denysvitali]

What version of UAA are you running?

curl -s https://xyz.swisscom.com/info -H 'Accept: application/json' | jq .app.version -r
75.18.0-scs.0

Not sure what's our difference from upstream, but it shouldn't matter as the issue seems to be in the latest commit from 76.0.0.

How are you deploying the UAA?

N/A

What did you do?

Tried to use the following:

WAYPOINT_URL=https://example.com"
cf create-service oidc-service-name nova \
  waypoint-v2-oidc \
  -c "
  {
    \"grantTypes\": [\"authorization_code\",\"refresh_token\"],
    \"redirectUris\": [
      \"$WAYPOINT_URL/**\",
      \"http://127.0.0.1:*/oidc/callback\"
    ]
  }"

What did you expect to see? What goal are you trying to achieve with the UAA?

Service creation successful, client_id and client_secret allow redirection to a dynamic port.

What did you see instead?

Following redirect uris are not valid:[http://127.0.0.1:*/oidc/callback], regex for valid redirect uri: ^([a-zA-Z][a-zA-Z0-9+\*\-.]*)://(.*:.*@)?(([a-zA-Z0-9\-\*\_]+\.)*[a-zA-Z0-9\-\_]+\.)?[a-zA-Z0-9\-]+(:[0-9]+)?(/.*|$). Example:
{
  "grant_types" : [ "authorization_code", "refresh_token" ],
  "redirect_uris" : [ "https://www.example.com/*", "https://www.example2.com/**" ],
  "access_token_validity" : 720
}

Given:
{
  "grantTypes" : [ "authorization_code", "refresh_token" ],
  "redirectUris" : [ "https://example.com/**", "http://127.0.0.1:*/oidc/callback" ]
}

Additional Notes

This seems to be related to this PR: #1140, I'm wondering if this functionality ever worked, but there are some tests related to this:
https://github.com/cloudfoundry/uaa/blob/76.0.0/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/beans/LegacyRedirectResolverTest.java#L614-L618

The regular expression clearly fails at (:[0-9]+)?.

This causes an issue with Waypoint (and really any other application running locally) as it's not possible to allocate a dynamic port, see:

• Issue: waypoint login uses a random callback listener port - invalid redirect_uri hashicorp/waypoint#3645
• Workaround (static port):Add OIDC Callback Server Port personalization hashicorp/waypoint#3646

As pointed out by @evanphx this is a violation of RFC 8252 - 7.3 - Loopback Interface Redirection.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/183316069

The labels on this github issue will be updated when the story is started.

[strehle]

I will check your issue.
How do you create the entry http://127.0.0.1:*/oidc/callback ? , means via REST call , e.g. uaac or you defined it in uaa.yml for your client ?

[denysvitali]

Honestly, no clue. We have a Cloud Foundry service broker that takes the JSON as an input and creates the client credentials for us.
I assume that in turn this makes a REST call to UAA, but I really don't know.

Maybe @JamesClonk can share more as it's more of his area.

[strehle]

Ok, so the support was given until https://github.com/cloudfoundry/uaa/releases/tag/v75.21.0 because with spring included in spring boot 2.6.x we could pass such URIs simply to spring.
With the change to 2.7.x this was broken and in the begin we simply changed test, e.g. 9643cdd
so with #2035 this http://127.0.0.1:*/oidc/callback support should be back again