-
Notifications
You must be signed in to change notification settings - Fork 4.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
identity/oidc: loopback redirect dynamic port (#13871)
* Add check for OIDC provider to permit a non-exact redirect URI from OIDC client if it is the IPv4 or IPv6 loopback address. * Update changelog/13871.txt Co-authored-by: Austin Gebauer <[email protected]> * Update redirectURI check to match that for the OIDC auth method. Co-authored-by: Austin Gebauer <[email protected]>
- Loading branch information
1 parent
9f51f35
commit 8b09873
Showing
3 changed files
with
43 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| ```release-note:bug | ||
| identity/oidc: Adds support for port-agnostic validation of loopback IP redirect URIs. | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| package vault | ||
|
|
||
| import ( | ||
| "net/url" | ||
|
|
||
| "github.com/hashicorp/go-secure-stdlib/strutil" | ||
| ) | ||
|
|
||
| // validRedirect checks whether uri is in allowed using special handling for loopback uris. | ||
| // Ref: https://tools.ietf.org/html/rfc8252#section-7.3 | ||
| func validRedirect(uri string, allowed []string) bool { | ||
| inputURI, err := url.Parse(uri) | ||
| if err != nil { | ||
| return false | ||
| } | ||
|
|
||
| // if uri isn't a loopback, just string search the allowed list | ||
| if !strutil.StrListContains([]string{"localhost", "127.0.0.1", "::1"}, inputURI.Hostname()) { | ||
| return strutil.StrListContains(allowed, uri) | ||
| } | ||
|
|
||
| // otherwise, search for a match in a port-agnostic manner, per the OAuth RFC. | ||
| inputURI.Host = inputURI.Hostname() | ||
|
|
||
| for _, a := range allowed { | ||
| allowedURI, err := url.Parse(a) | ||
| if err != nil { | ||
| return false | ||
| } | ||
| allowedURI.Host = allowedURI.Hostname() | ||
|
|
||
| if inputURI.String() == allowedURI.String() { | ||
| return true | ||
| } | ||
| } | ||
|
|
||
| return false | ||
| } |